Jump to content

Recommended Posts

Posted

@Mov AX, 0xDEAD

If you're feeling motivated, can we start working on NDIS6 support for XP?

missing imports -

	ndis -
    
NtTraceControl
KeRegisterProcessorChangeCallback
RtlNumberOfSetBitsUlongPtr
KeTestSpinLock
IoGetDeviceNumaNode
NtQuerySystemInformationEx

	netio -
    
MmAllocatePagesForMdlEx
KeFreeCalloutStack
KeAllocateCalloutStack
SeCaptureSubjectContextEx
KeTestSpinLock
SeAccessCheckFromState
RtlCreateHashTable
RtlDeleteHashTable
RtlGetNextEntryHashTable
RtlLookupEntryHashTable
RtlRemoveEntryHashTable
RtlInsertEntryHashTable
RtlEndEnumerationHashTable
RtlEnumerateEntryHashTable
RtlInitEnumerationHashTable
RtlContractHashTable
RtlExpandHashTable

	msrpc -
    
IoSetIoCompletionEx
ZwAlpcCancelMessage
ZwAlpcCreatePortSection
ZwAlpcCreateResourceReserve
ZwAlpcCreateSectionView
ZwAlpcCreateSecurityContext
ZwAlpcDeletePortSection
ZwAlpcDeleteSectionView
ZwAlpcDeleteSecurityContext
ZwAlpcDisconnectPort
ZwAlpcQueryInformation
ZwAlpcSetInformation
ZwCreateIoCompletion
ZwImpersonateAnonymousToken
ZwRemoveIoCompletionEx
	

Posted

I made a start on ndis6 code in ntoskrn8.c

Quote


///////////////////////////////////////////////////////////////////
////////////////////////////// ndis6 //////////////////////////////
///////////////////////////////////////////////////////////////////


struct _EXCEPTION_REGISTRATION_RECORD
{
    struct _EXCEPTION_REGISTRATION_RECORD *Next;
    enum _EXCEPTION_DISPOSITION  ( *Handler)(struct _EXCEPTION_RECORD *,void *,struct _CONTEXT *,void *);
} EXCEPTION_REGISTRATION_RECORD, *PEXCEPTION_REGISTRATION_RECORD;

struct _EH_EXCEPTION_REGISTRATION_RECORD
{
    void *SavedESP;
    struct _EXCEPTION_POINTERS *ExceptionPointers;
    struct _EXCEPTION_REGISTRATION_RECORD SubRecord;
    unsigned int EncodedScopeTable;
    unsigned long TryLevel;
} EH_EXCEPTION_REGISTRATION_RECORD, *PEH_EXCEPTION_REGISTRATION_RECORD;

NTSTATUS
NtTraceControl_k8 (
    ULONG FunctionCode,
    PVOID InBuffer,
    ULONG InBufferLen,
    PVOID OutBuffer,
    ULONG OutBufferLen,
    ULONG *ReturnSize);
    
NTSTATUS
NtTraceControl_k8 (
    ULONG FunctionCode,
    PVOID InBuffer,
    ULONG InBufferLen,
    PVOID OutBuffer,
    ULONG OutBufferLen,
    ULONG *ReturnSize)
{
    
    
    
//    unsigned int ReturnSize; // [esp-52]
    unsigned int LocalReturnLength; // [esp-36]
    struct _EH_EXCEPTION_REGISTRATION_RECORD ExceptionRegistration; // [esp-28]
    unsigned int local_0x4; // [esp-4]
    struct _EH_EXCEPTION_REGISTRATION_RECORD esp; // esp
    unsigned int ebp; // ebp
    void * fs; // fs
    unsigned long * v3; // eax
    unsigned long NumberOfBytes; // eax
    struct _GUID * RealtimeConnectContext; // eax
    long v1; // eax
    struct _EH_EXCEPTION_REGISTRATION_RECORD v2; // esp

/*

    local_0x4 = 40;
    ExceptionRegistration.TryLevel = &scope_table_365;
    ExceptionRegistration.ScopeTable = &NtTraceControl+0xC;
    ExceptionRegistration.Handler = &_except_handler4;
    ExceptionRegistration.Next = *fs;
    local_0x4 = ebp;
    ExceptionRegistration.TryLevel = &scope_table_365 ^ __security_cookie;
    ExceptionRegistration.SavedEsp = esp.SavedEsp - 76;
    ExceptionRegistration.TryLevel = 4294967294;
    ExceptionRegistration.ScopeTable = &scope_table_365 ^ __security_cookie;
    *fs = &ExceptionRegistration.Next;
    RealtimeConnectContext = 0;
    LocalReturnLength = 0;
    if( *(*((unsigned char *)fs + 292) + 231) == 0 ) {
        node_19:
        if( InBufferLen == 0 && OutBufferLen == 0 ) {
            RealtimeConnectContext = 0;
        } else {
            if( InBufferLen <= OutBufferLen ) {
                NumberOfBytes = OutBufferLen;
            } else {
                NumberOfBytes = InBufferLen;
            }
            RealtimeConnectContext = ExAllocatePoolWithQuotaTag( 9, NumberOfBytes, 1350005829 );
            if( RealtimeConnectContext == 0 ) {
                v1 = -1073741801;
                v2.SavedEsp = esp.SavedEsp + 4294967220;
                if( RealtimeConnectContext != 0 ) {
                    *(v2.SavedEsp + 4294967292) = 0;
                    *(v2.SavedEsp + 4294967288) = RealtimeConnectContext;
                    *(v2.SavedEsp + 4294967284) = &code_0x1EEF93;
                    ExFreePoolWithTag( *(v2.SavedEsp + 4294967288), *(v2.SavedEsp + 4294967292) );
                }
                *(v2.SavedEsp + 4294967292) = &code_0x1EEF93+0x7;
                *fs = ExceptionRegistration.Next;
                return v1;
            } else if( InBuffer != 0 ) {
                memcpy( RealtimeConnectContext, InBuffer, InBufferLen );
            }
        }
        if( FunctionCode < 18 ) {
            if( FunctionCode != 17 ) {
                if( FunctionCode < 14 ) {
                    if( FunctionCode != 13 ) {
                        if( FunctionCode != 0 ) {
                            if( FunctionCode > 5 ) {
                                if( FunctionCode != 11 ) {
                                    if( FunctionCode == 12 ) {
                                        if( InBufferLen == 16 && OutBufferLen == 16 ) {
                                            EtwpCreateActivityId( RealtimeConnectContext );
                                            LocalReturnLength = 16;
                                            v1 = 0;
                                            v2.SavedEsp = esp.SavedEsp + 4294967220;
                                            goto node_231;
                                        } else {
                                            goto node_167;
                                        }
                                    }
                                } else if( InBufferLen == 32 && OutBufferLen == 32 ) {
                                    v1 = EtwpRealtimeConnect( RealtimeConnectContext );
                                    LocalReturnLength = 32;
                                    v2.SavedEsp = esp.SavedEsp + 4294967220;
                                    goto node_231;
                                } else {
                                    goto node_167;
                                }
                            } else {
                                if( InBufferLen < 176 || OutBufferLen < 176 ) {
                                    v1 = -1073741306;
                                } else {
                                    if( RealtimeConnectContext == 0 ) {
                                        v1 = -1073741811;
                                    } else if( RealtimeConnectContext->Data1 < 176 ) {
                                        v1 = -1073741306;
                                    } else {
                                        v1 = ((RealtimeConnectContext[2].Data4[4] & 0x20000) != 0 & 0x3FFFFFF3) + 3221225485;
                                    }
                                    if( v1 >= 0 ) {
                                        if( RealtimeConnectContext->Data1 > InBufferLen ) {
                                            v1 = -1073741306;
                                            v2.SavedEsp = esp.SavedEsp + 4294967220;
                                            goto node_231;
                                        } else {
                                            v1 = 0;
                                        }
                                    }
                                }
                                if( v1 < 0 ) {
                                    v2.SavedEsp = esp.SavedEsp + 4294967220;
                                    goto node_231;
                                } else {
                                    switch( FunctionCode ) {
                                        case 1: {
                                            v1 = EtwpStartTrace( RealtimeConnectContext );
                                            break;
                                        }
                                        case 2: {
                                            v1 = EtwpStopTrace( RealtimeConnectContext, 0 );
                                            break;
                                        }
                                        case 3: {
                                            v1 = EtwpQueryTrace( RealtimeConnectContext );
                                            break;
                                        }
                                        case 4: {
                                            v1 = EtwpUpdateTrace( RealtimeConnectContext );
                                            break;
                                        }
                                        case 5: {
                                            v1 = EtwpFlushTrace( RealtimeConnectContext );
                                            break;
                                        }
                                    }
                                    LocalReturnLength = 176;
                                    v2.SavedEsp = esp.SavedEsp + 4294967220;
                                    goto node_231;
                                }
                            }
                        }
                    } else if( InBufferLen == 48 && OutBufferLen == 0 ) {
                        v1 = WdiDispatchControl( __security_cookie ^ &local_0x4 );
                        v2.SavedEsp = esp.SavedEsp + 4294967224;
                        goto node_231;
                    } else {
                        goto node_167;
                    }
                } else if( FunctionCode != 14 ) {
                    if( FunctionCode != 15 ) {
                        if( FunctionCode == 16 ) {
                            if( InBufferLen == 0 && OutBufferLen < 65537 ) {
                                v1 = EtwpReceiveNotification( RealtimeConnectContext, OutBufferLen, &LocalReturnLength );
                                v2.SavedEsp = esp.SavedEsp + 4294967220;
                                goto node_231;
                            } else {
                                goto node_167;
                            }
                        }
                    } else if( InBufferLen == 160 && OutBufferLen == 160 ) {
                        v1 = EtwpRegisterUMGuid( RealtimeConnectContext );
                        LocalReturnLength = 160;
                        v2.SavedEsp = esp.SavedEsp + 4294967220;
                        goto node_231;
                    } else {
                        goto node_167;
                    }
                } else if( InBufferLen == 8 && OutBufferLen == 0 ) {
                    v1 = EtwpRealtimeDisconnectConsumer( RealtimeConnectContext->Data2, __security_cookie ^ &local_0x4 );
                    v2.SavedEsp = esp.SavedEsp + 4294967224;
                    goto node_231;
                } else {
                    goto node_167;
                }
            } else if( InBufferLen < 72 || OutBufferLen != 72 && OutBufferLen != 0 || InBufferLen != RealtimeConnectContext->Data2 ) {
                goto node_167;
            } else {
                if( RealtimeConnectContext->Data1 == 3 ) {
                    v1 = EtwpEnableGuid( 1, __security_cookie ^ &local_0x4 );
                    v2.SavedEsp = esp.SavedEsp + 4294967224;
                    goto node_231;
                } else {
                    v1 = EtwpNotifyGuid( __security_cookie ^ &local_0x4 );
                    LocalReturnLength = OutBufferLen;
                    v2.SavedEsp = esp.SavedEsp + 4294967224;
                    goto node_231;
                }
            }
        } else if( FunctionCode != 18 ) {
            if( FunctionCode != 19 ) {
                if( FunctionCode != 20 ) {
                    if( FunctionCode == 21 ) {
                        LocalReturnLength = OutBufferLen;
                        v1 = EtwpGetTraceGuidList( RealtimeConnectContext, &LocalReturnLength );
                        v2.SavedEsp = esp.SavedEsp + 4294967220;
                        goto node_231;
                    } else if( FunctionCode != 22 ) {
                        if( FunctionCode == 23 ) {
                            LocalReturnLength = OutBufferLen;
                            v1 = EtwpEnumerateTraceGuids( RealtimeConnectContext, &LocalReturnLength );
                            v2.SavedEsp = esp.SavedEsp + 4294967220;
                            goto node_231;
                        } else if( FunctionCode == 24 ) {
                            if( InBufferLen != 0 || OutBufferLen != 0 ) {
                                goto node_167;
                            } else if( EtwpSecurityProviderPID != 0 ) {
                                v1 = -1073741790;
                                v2.SavedEsp = esp.SavedEsp + 4294967220;
                                goto node_231;
                            } else {
                                EtwpSecurityProviderPID = *(*((unsigned char *)fs + 292) + 524);
                                v1 = 0;
                                v2.SavedEsp = esp.SavedEsp + 4294967220;
                                goto node_231;
                            }
                        }
                    } else if( InBufferLen == 16 ) {
                        LocalReturnLength = OutBufferLen;
                        v1 = EtwpGetTraceGuidInfo( RealtimeConnectContext, RealtimeConnectContext, &LocalReturnLength );
                        v2.SavedEsp = esp.SavedEsp + 4294967220;
                        goto node_231;
                    } else {
                        goto node_167;
                    }
                } else if( InBufferLen == 0 && OutBufferLen == 0 ) {
                    v1 = WdiUpdateSem();
                    v2.SavedEsp = esp.SavedEsp + 4294967220;
                    goto node_231;
                } else {
                    goto node_167;
                }
            } else if( InBufferLen == 8 && OutBufferLen > 71 ) {
                v1 = EtwpReceiveReplyDataBlock( RealtimeConnectContext, OutBufferLen, &ReturnSize );
                LocalReturnLength = ReturnSize;
                v2.SavedEsp = esp.SavedEsp + 4294967220;
                goto node_231;
            } else {
                goto node_167;
            }
        } else if( InBufferLen > 71 && InBufferLen == RealtimeConnectContext->Data2 ) {
            RealtimeConnectContext[2].Data2 = *(*((unsigned char *)fs + 292) + 524);
            v1 = EtwpSendReplyDataBlock( __security_cookie ^ &local_0x4 );
            v2.SavedEsp = esp.SavedEsp + 4294967224;
            goto node_231;
        } else {
            goto node_167;
        }
        v1 = -1073741808;
        v2.SavedEsp = esp.SavedEsp + 4294967220;
        goto node_231;
        node_167:
        v1 = -1073741811;
        v2.SavedEsp = esp.SavedEsp + 4294967220;
        node_231:
        if( v1 >= 0 ) {
            if( LocalReturnLength != 0 ) {
                *(v2.SavedEsp + 4294967292) = LocalReturnLength;
                *(v2.SavedEsp + 4294967288) = RealtimeConnectContext;
                *(v2.SavedEsp + 4294967284) = OutBuffer;
                *(v2.SavedEsp + 4294967280) = &code_0x1EEF1D+0xC;
                memcpy( *(v2.SavedEsp + 4294967284), *(v2.SavedEsp + 4294967288), *(v2.SavedEsp + 4294967292) );
            }
            ReturnLength[0] = LocalReturnLength;
        }
        if( v1 == -1073741789 && (FunctionCode == 16 || FunctionCode == 21 || FunctionCode == 22) || FunctionCode == 23 || FunctionCode == 19 ) {
            ReturnLength[0] = LocalReturnLength;
        }
    } else {
        if( InBuffer == 0 ) {
            InBufferLen = 0;
        } else if( InBufferLen != 0 && (InBufferLen + InBuffer > MmUserProbeAddress || InBufferLen + InBuffer < InBuffer) ) {
            *MmUserProbeAddress = 0;
        }
        if( OutBuffer != 0 ) {
            ProbeForWrite( OutBuffer, OutBufferLen, 1 );
        } else {
            OutBufferLen = 0;
        }
        if( ReturnLength == 0 ) {
            v1 = -1073741811;
            v2.SavedEsp = esp.SavedEsp + 4294967220;
        } else {
            if( ReturnLength >= MmUserProbeAddress ) {
                v3 = MmUserProbeAddress;
            } else {
                v3 = ReturnLength;
            }
            v3[0] = v3[0];
            goto node_19;
        }
    }
    if( RealtimeConnectContext != 0 ) {
        *(v2.SavedEsp + 4294967292) = 0;
        *(v2.SavedEsp + 4294967288) = RealtimeConnectContext;
        *(v2.SavedEsp + 4294967284) = &code_0x1EEF93;
        ExFreePoolWithTag( *(v2.SavedEsp + 4294967288), *(v2.SavedEsp + 4294967292) );
    }
    *(v2.SavedEsp + 4294967292) = &code_0x1EEF93+0x7;
    *fs = ExceptionRegistration.Next;
    return v1;
    
//    */
    

    return STATUS_SUCCESS;
    
}


PVOID KeRegisterProcessorChangeCallback_k8(
    PPROCESSOR_CALLBACK_FUNCTION CallbackFunction,
    PVOID                        CallbackContext,
    ULONG                        Flags
);

PVOID KeRegisterProcessorChangeCallback_k8(
    PPROCESSOR_CALLBACK_FUNCTION CallbackFunction,
    PVOID                        CallbackContext,
    ULONG                        Flags
)
{
    return STATUS_SUCCESS;
}


#pragma warning(disable : 4333)

//
//  Lookup table that tells how many clear bits (i.e., 0) there are in a byte
//

CONST CCHAR RtlpBitsClearTotal[] =
          { 8,7,7,6,7,6,6,5,7,6,6,5,6,5,5,4,
            7,6,6,5,6,5,5,4,6,5,5,4,5,4,4,3,
            7,6,6,5,6,5,5,4,6,5,5,4,5,4,4,3,
            6,5,5,4,5,4,4,3,5,4,4,3,4,3,3,2,
            7,6,6,5,6,5,5,4,6,5,5,4,5,4,4,3,
            6,5,5,4,5,4,4,3,5,4,4,3,4,3,3,2,
            6,5,5,4,5,4,4,3,5,4,4,3,4,3,3,2,
            5,4,4,3,4,3,3,2,4,3,3,2,3,2,2,1,
            7,6,6,5,6,5,5,4,6,5,5,4,5,4,4,3,
            6,5,5,4,5,4,4,3,5,4,4,3,4,3,3,2,
            6,5,5,4,5,4,4,3,5,4,4,3,4,3,3,2,
            5,4,4,3,4,3,3,2,4,3,3,2,3,2,2,1,
            6,5,5,4,5,4,4,3,5,4,4,3,4,3,3,2,
            5,4,4,3,4,3,3,2,4,3,3,2,3,2,2,1,
            5,4,4,3,4,3,3,2,4,3,3,2,3,2,2,1,
            4,3,3,2,3,2,2,1,3,2,2,1,2,1,1,0 };


ULONG RtlNumberOfSetBitsUlongPtr_k8(
    ULONG_PTR Target
);

ULONG RtlNumberOfSetBitsUlongPtr_k8(
    ULONG_PTR Target
)
{
    unsigned long v1; // eax
    unsigned long v2; // edx
    unsigned long v3; // edx

    v1 = (unsigned char)~Target & 0xFFFFFF00 | RtlpBitsClearTotal[(unsigned char)~Target];
    v2 = ~Target >> 24 & 0xFFFFFF00 | RtlpBitsClearTotal[~Target >> 24];
    v3 = v2 & 0xFFFFFF00 | (unsigned char)v2 + RtlpBitsClearTotal[(unsigned char)~Target >> 16];
    return (unsigned char)v3 & 0xFFFFFF00 | v3 + (v1 & 0xFFFFFF00 | (unsigned char)v1 + RtlpBitsClearTotal[(unsigned char)~Target / 256]);
}

typedef enum _MI_PFN_CACHE_ATTRIBUTE {
    MiNonCached,
    MiCached,
    MiWriteCombined,
    MiNotMapped
} MI_PFN_CACHE_ATTRIBUTE, *PMI_PFN_CACHE_ATTRIBUTE;


//
// Cache control stuff.  Note this may be overridden by deficient hardware
// platforms at startup.
//

MI_PFN_CACHE_ATTRIBUTE MiPlatformCacheAttributes[2 * MmMaximumCacheType] =
{
    //
    // Memory space
    //

    MiNonCached,
    MiCached,
    MiWriteCombined,
    MiCached,
    MiNonCached,
    MiWriteCombined,

    //
    // I/O space
    //

    MiNonCached,
    MiCached,
    MiWriteCombined,
    MiCached,
    MiNonCached,
    MiWriteCombined
};

PMDL MmAllocatePagesForMdlEx_k8(
    PHYSICAL_ADDRESS    LowAddress,
    PHYSICAL_ADDRESS    HighAddress,
    PHYSICAL_ADDRESS    SkipBytes,
    SIZE_T              TotalBytes,
    MEMORY_CACHING_TYPE CacheType,
    ULONG               Flags
);


PMDL MmAllocatePagesForMdlEx_k8(
    PHYSICAL_ADDRESS    LowAddress,
    PHYSICAL_ADDRESS    HighAddress,
    PHYSICAL_ADDRESS    SkipBytes,
    SIZE_T              TotalBytes,
    MEMORY_CACHING_TYPE CacheType,
    ULONG               Flags
)
{
    
    /*
    
    enum _MI_PFN_CACHE_ATTRIBUTE CacheAttribute; // eax
    struct _MDL * v1; // eax

    if( CacheType > 2 ) {
        CacheAttribute = 3;
    } else {
        CacheAttribute = MiPlatformCacheAttributes[CacheType];
    }
    if( (Flags & 0xFFFFFFFC) != 0 ) {
        v1 = 0;
    } else {
//        v1 = MiAllocatePagesForMdl( LowAddress.u.LowPart, HighAddress.u.LowPart, SkipBytes.u.LowPart, TotalBytes, CacheAttribute, Flags );
        v1 = MmAllocatePagesForMdl( LowAddress.u.LowPart, HighAddress.u.LowPart, SkipBytes.u.LowPart, TotalBytes  );
    }
    return v1;
    
    */
    
    return MmAllocatePagesForMdl( LowAddress, HighAddress, SkipBytes, TotalBytes  );    
    
}

BOOLEAN KeTestSpinLock_k8(
    PKSPIN_LOCK SpinLock
);

BOOLEAN KeTestSpinLock_k8(
    PKSPIN_LOCK SpinLock
)
{
    return TRUE;
}


NTSTATUS IoGetDeviceNumaNode_k8(
    PDEVICE_OBJECT Pdo,
    PUSHORT        NodeNumber
);

NTSTATUS IoGetDeviceNumaNode_k8(
    PDEVICE_OBJECT Pdo,
    PUSHORT        NodeNumber
)
{
    return STATUS_SUCCESS;
}

NTSTATUS
ZwQuerySystemInformationEx_k8 (
    SYSTEM_INFORMATION_CLASS SystemInformationClass,
    PVOID InputBuffer,
    ULONG InputBufferLength,
    PVOID SystemInformation,
    ULONG SystemInformationLength,
    ULONG *ReturnLength);
    
NTSTATUS
ZwQuerySystemInformationEx_k8 (
    SYSTEM_INFORMATION_CLASS SystemInformationClass,
    PVOID InputBuffer,
    ULONG InputBufferLength,
    PVOID SystemInformation,
    ULONG SystemInformationLength,
    ULONG *ReturnLength)
{
    return STATUS_SUCCESS;
}


VOID
MmDeleteKernelStack (
    IN PVOID PointerKernelStack,
    IN BOOLEAN LargeStack
    );
    
VOID
MmDeleteKernelStack (
    IN PVOID PointerKernelStack,
    IN BOOLEAN LargeStack
    )
    {
    return;        
    }


VOID
KeFreeCalloutStack_k8 (
    PVOID Context
);
    
VOID
KeFreeCalloutStack_k8 (
    PVOID Context
)
{
//    MmDeleteKernelStack( *((unsigned char *)Context + 8), *((unsigned char *)Context + 4) );
    ExFreePoolWithTag( Context, 0 );
}


        


///////////////////////////////////////////////////////////////////

 

 

Posted (edited)

some more~

added the HashTable functions with psuedocode.
 

Quote

 

///////////////////////////////////////////////////////////////////
////////////////////////////// ndis6 //////////////////////////////
///////////////////////////////////////////////////////////////////


struct _EXCEPTION_REGISTRATION_RECORD
{
    struct _EXCEPTION_REGISTRATION_RECORD *Next;
    enum _EXCEPTION_DISPOSITION  ( *Handler)(struct _EXCEPTION_RECORD *,void *,struct _CONTEXT *,void *);
} EXCEPTION_REGISTRATION_RECORD, *PEXCEPTION_REGISTRATION_RECORD;

struct _EH_EXCEPTION_REGISTRATION_RECORD
{
    void *SavedESP;
    struct _EXCEPTION_POINTERS *ExceptionPointers;
    struct _EXCEPTION_REGISTRATION_RECORD SubRecord;
    unsigned int EncodedScopeTable;
    unsigned long TryLevel;
} EH_EXCEPTION_REGISTRATION_RECORD, *PEH_EXCEPTION_REGISTRATION_RECORD;

NTSTATUS
NtTraceControl_k8 (
    ULONG FunctionCode,
    PVOID InBuffer,
    ULONG InBufferLen,
    PVOID OutBuffer,
    ULONG OutBufferLen,
    ULONG *ReturnSize);
    
NTSTATUS
NtTraceControl_k8 (
    ULONG FunctionCode,
    PVOID InBuffer,
    ULONG InBufferLen,
    PVOID OutBuffer,
    ULONG OutBufferLen,
    ULONG *ReturnSize)
{
    
    
    
//    unsigned int ReturnSize; // [esp-52]
    unsigned int LocalReturnLength; // [esp-36]
    struct _EH_EXCEPTION_REGISTRATION_RECORD ExceptionRegistration; // [esp-28]
    unsigned int local_0x4; // [esp-4]
    struct _EH_EXCEPTION_REGISTRATION_RECORD esp; // esp
    unsigned int ebp; // ebp
    void * fs; // fs
    unsigned long * v3; // eax
    unsigned long NumberOfBytes; // eax
    struct _GUID * RealtimeConnectContext; // eax
    long v1; // eax
    struct _EH_EXCEPTION_REGISTRATION_RECORD v2; // esp

/*

    local_0x4 = 40;
    ExceptionRegistration.TryLevel = &scope_table_365;
    ExceptionRegistration.ScopeTable = &NtTraceControl+0xC;
    ExceptionRegistration.Handler = &_except_handler4;
    ExceptionRegistration.Next = *fs;
    local_0x4 = ebp;
    ExceptionRegistration.TryLevel = &scope_table_365 ^ __security_cookie;
    ExceptionRegistration.SavedEsp = esp.SavedEsp - 76;
    ExceptionRegistration.TryLevel = 4294967294;
    ExceptionRegistration.ScopeTable = &scope_table_365 ^ __security_cookie;
    *fs = &ExceptionRegistration.Next;
    RealtimeConnectContext = 0;
    LocalReturnLength = 0;
    if( *(*((unsigned char *)fs + 292) + 231) == 0 ) {
        node_19:
        if( InBufferLen == 0 && OutBufferLen == 0 ) {
            RealtimeConnectContext = 0;
        } else {
            if( InBufferLen <= OutBufferLen ) {
                NumberOfBytes = OutBufferLen;
            } else {
                NumberOfBytes = InBufferLen;
            }
            RealtimeConnectContext = ExAllocatePoolWithQuotaTag( 9, NumberOfBytes, 1350005829 );
            if( RealtimeConnectContext == 0 ) {
                v1 = -1073741801;
                v2.SavedEsp = esp.SavedEsp + 4294967220;
                if( RealtimeConnectContext != 0 ) {
                    *(v2.SavedEsp + 4294967292) = 0;
                    *(v2.SavedEsp + 4294967288) = RealtimeConnectContext;
                    *(v2.SavedEsp + 4294967284) = &code_0x1EEF93;
                    ExFreePoolWithTag( *(v2.SavedEsp + 4294967288), *(v2.SavedEsp + 4294967292) );
                }
                *(v2.SavedEsp + 4294967292) = &code_0x1EEF93+0x7;
                *fs = ExceptionRegistration.Next;
                return v1;
            } else if( InBuffer != 0 ) {
                memcpy( RealtimeConnectContext, InBuffer, InBufferLen );
            }
        }
        if( FunctionCode < 18 ) {
            if( FunctionCode != 17 ) {
                if( FunctionCode < 14 ) {
                    if( FunctionCode != 13 ) {
                        if( FunctionCode != 0 ) {
                            if( FunctionCode > 5 ) {
                                if( FunctionCode != 11 ) {
                                    if( FunctionCode == 12 ) {
                                        if( InBufferLen == 16 && OutBufferLen == 16 ) {
                                            EtwpCreateActivityId( RealtimeConnectContext );
                                            LocalReturnLength = 16;
                                            v1 = 0;
                                            v2.SavedEsp = esp.SavedEsp + 4294967220;
                                            goto node_231;
                                        } else {
                                            goto node_167;
                                        }
                                    }
                                } else if( InBufferLen == 32 && OutBufferLen == 32 ) {
                                    v1 = EtwpRealtimeConnect( RealtimeConnectContext );
                                    LocalReturnLength = 32;
                                    v2.SavedEsp = esp.SavedEsp + 4294967220;
                                    goto node_231;
                                } else {
                                    goto node_167;
                                }
                            } else {
                                if( InBufferLen < 176 || OutBufferLen < 176 ) {
                                    v1 = -1073741306;
                                } else {
                                    if( RealtimeConnectContext == 0 ) {
                                        v1 = -1073741811;
                                    } else if( RealtimeConnectContext->Data1 < 176 ) {
                                        v1 = -1073741306;
                                    } else {
                                        v1 = ((RealtimeConnectContext[2].Data4[4] & 0x20000) != 0 & 0x3FFFFFF3) + 3221225485;
                                    }
                                    if( v1 >= 0 ) {
                                        if( RealtimeConnectContext->Data1 > InBufferLen ) {
                                            v1 = -1073741306;
                                            v2.SavedEsp = esp.SavedEsp + 4294967220;
                                            goto node_231;
                                        } else {
                                            v1 = 0;
                                        }
                                    }
                                }
                                if( v1 < 0 ) {
                                    v2.SavedEsp = esp.SavedEsp + 4294967220;
                                    goto node_231;
                                } else {
                                    switch( FunctionCode ) {
                                        case 1: {
                                            v1 = EtwpStartTrace( RealtimeConnectContext );
                                            break;
                                        }
                                        case 2: {
                                            v1 = EtwpStopTrace( RealtimeConnectContext, 0 );
                                            break;
                                        }
                                        case 3: {
                                            v1 = EtwpQueryTrace( RealtimeConnectContext );
                                            break;
                                        }
                                        case 4: {
                                            v1 = EtwpUpdateTrace( RealtimeConnectContext );
                                            break;
                                        }
                                        case 5: {
                                            v1 = EtwpFlushTrace( RealtimeConnectContext );
                                            break;
                                        }
                                    }
                                    LocalReturnLength = 176;
                                    v2.SavedEsp = esp.SavedEsp + 4294967220;
                                    goto node_231;
                                }
                            }
                        }
                    } else if( InBufferLen == 48 && OutBufferLen == 0 ) {
                        v1 = WdiDispatchControl( __security_cookie ^ &local_0x4 );
                        v2.SavedEsp = esp.SavedEsp + 4294967224;
                        goto node_231;
                    } else {
                        goto node_167;
                    }
                } else if( FunctionCode != 14 ) {
                    if( FunctionCode != 15 ) {
                        if( FunctionCode == 16 ) {
                            if( InBufferLen == 0 && OutBufferLen < 65537 ) {
                                v1 = EtwpReceiveNotification( RealtimeConnectContext, OutBufferLen, &LocalReturnLength );
                                v2.SavedEsp = esp.SavedEsp + 4294967220;
                                goto node_231;
                            } else {
                                goto node_167;
                            }
                        }
                    } else if( InBufferLen == 160 && OutBufferLen == 160 ) {
                        v1 = EtwpRegisterUMGuid( RealtimeConnectContext );
                        LocalReturnLength = 160;
                        v2.SavedEsp = esp.SavedEsp + 4294967220;
                        goto node_231;
                    } else {
                        goto node_167;
                    }
                } else if( InBufferLen == 8 && OutBufferLen == 0 ) {
                    v1 = EtwpRealtimeDisconnectConsumer( RealtimeConnectContext->Data2, __security_cookie ^ &local_0x4 );
                    v2.SavedEsp = esp.SavedEsp + 4294967224;
                    goto node_231;
                } else {
                    goto node_167;
                }
            } else if( InBufferLen < 72 || OutBufferLen != 72 && OutBufferLen != 0 || InBufferLen != RealtimeConnectContext->Data2 ) {
                goto node_167;
            } else {
                if( RealtimeConnectContext->Data1 == 3 ) {
                    v1 = EtwpEnableGuid( 1, __security_cookie ^ &local_0x4 );
                    v2.SavedEsp = esp.SavedEsp + 4294967224;
                    goto node_231;
                } else {
                    v1 = EtwpNotifyGuid( __security_cookie ^ &local_0x4 );
                    LocalReturnLength = OutBufferLen;
                    v2.SavedEsp = esp.SavedEsp + 4294967224;
                    goto node_231;
                }
            }
        } else if( FunctionCode != 18 ) {
            if( FunctionCode != 19 ) {
                if( FunctionCode != 20 ) {
                    if( FunctionCode == 21 ) {
                        LocalReturnLength = OutBufferLen;
                        v1 = EtwpGetTraceGuidList( RealtimeConnectContext, &LocalReturnLength );
                        v2.SavedEsp = esp.SavedEsp + 4294967220;
                        goto node_231;
                    } else if( FunctionCode != 22 ) {
                        if( FunctionCode == 23 ) {
                            LocalReturnLength = OutBufferLen;
                            v1 = EtwpEnumerateTraceGuids( RealtimeConnectContext, &LocalReturnLength );
                            v2.SavedEsp = esp.SavedEsp + 4294967220;
                            goto node_231;
                        } else if( FunctionCode == 24 ) {
                            if( InBufferLen != 0 || OutBufferLen != 0 ) {
                                goto node_167;
                            } else if( EtwpSecurityProviderPID != 0 ) {
                                v1 = -1073741790;
                                v2.SavedEsp = esp.SavedEsp + 4294967220;
                                goto node_231;
                            } else {
                                EtwpSecurityProviderPID = *(*((unsigned char *)fs + 292) + 524);
                                v1 = 0;
                                v2.SavedEsp = esp.SavedEsp + 4294967220;
                                goto node_231;
                            }
                        }
                    } else if( InBufferLen == 16 ) {
                        LocalReturnLength = OutBufferLen;
                        v1 = EtwpGetTraceGuidInfo( RealtimeConnectContext, RealtimeConnectContext, &LocalReturnLength );
                        v2.SavedEsp = esp.SavedEsp + 4294967220;
                        goto node_231;
                    } else {
                        goto node_167;
                    }
                } else if( InBufferLen == 0 && OutBufferLen == 0 ) {
                    v1 = WdiUpdateSem();
                    v2.SavedEsp = esp.SavedEsp + 4294967220;
                    goto node_231;
                } else {
                    goto node_167;
                }
            } else if( InBufferLen == 8 && OutBufferLen > 71 ) {
                v1 = EtwpReceiveReplyDataBlock( RealtimeConnectContext, OutBufferLen, &ReturnSize );
                LocalReturnLength = ReturnSize;
                v2.SavedEsp = esp.SavedEsp + 4294967220;
                goto node_231;
            } else {
                goto node_167;
            }
        } else if( InBufferLen > 71 && InBufferLen == RealtimeConnectContext->Data2 ) {
            RealtimeConnectContext[2].Data2 = *(*((unsigned char *)fs + 292) + 524);
            v1 = EtwpSendReplyDataBlock( __security_cookie ^ &local_0x4 );
            v2.SavedEsp = esp.SavedEsp + 4294967224;
            goto node_231;
        } else {
            goto node_167;
        }
        v1 = -1073741808;
        v2.SavedEsp = esp.SavedEsp + 4294967220;
        goto node_231;
        node_167:
        v1 = -1073741811;
        v2.SavedEsp = esp.SavedEsp + 4294967220;
        node_231:
        if( v1 >= 0 ) {
            if( LocalReturnLength != 0 ) {
                *(v2.SavedEsp + 4294967292) = LocalReturnLength;
                *(v2.SavedEsp + 4294967288) = RealtimeConnectContext;
                *(v2.SavedEsp + 4294967284) = OutBuffer;
                *(v2.SavedEsp + 4294967280) = &code_0x1EEF1D+0xC;
                memcpy( *(v2.SavedEsp + 4294967284), *(v2.SavedEsp + 4294967288), *(v2.SavedEsp + 4294967292) );
            }
            ReturnLength[0] = LocalReturnLength;
        }
        if( v1 == -1073741789 && (FunctionCode == 16 || FunctionCode == 21 || FunctionCode == 22) || FunctionCode == 23 || FunctionCode == 19 ) {
            ReturnLength[0] = LocalReturnLength;
        }
    } else {
        if( InBuffer == 0 ) {
            InBufferLen = 0;
        } else if( InBufferLen != 0 && (InBufferLen + InBuffer > MmUserProbeAddress || InBufferLen + InBuffer < InBuffer) ) {
            *MmUserProbeAddress = 0;
        }
        if( OutBuffer != 0 ) {
            ProbeForWrite( OutBuffer, OutBufferLen, 1 );
        } else {
            OutBufferLen = 0;
        }
        if( ReturnLength == 0 ) {
            v1 = -1073741811;
            v2.SavedEsp = esp.SavedEsp + 4294967220;
        } else {
            if( ReturnLength >= MmUserProbeAddress ) {
                v3 = MmUserProbeAddress;
            } else {
                v3 = ReturnLength;
            }
            v3[0] = v3[0];
            goto node_19;
        }
    }
    if( RealtimeConnectContext != 0 ) {
        *(v2.SavedEsp + 4294967292) = 0;
        *(v2.SavedEsp + 4294967288) = RealtimeConnectContext;
        *(v2.SavedEsp + 4294967284) = &code_0x1EEF93;
        ExFreePoolWithTag( *(v2.SavedEsp + 4294967288), *(v2.SavedEsp + 4294967292) );
    }
    *(v2.SavedEsp + 4294967292) = &code_0x1EEF93+0x7;
    *fs = ExceptionRegistration.Next;
    return v1;
    
//    */
    

    return STATUS_SUCCESS;
    
}


PVOID KeRegisterProcessorChangeCallback_k8(
    PPROCESSOR_CALLBACK_FUNCTION CallbackFunction,
    PVOID                        CallbackContext,
    ULONG                        Flags
);

PVOID KeRegisterProcessorChangeCallback_k8(
    PPROCESSOR_CALLBACK_FUNCTION CallbackFunction,
    PVOID                        CallbackContext,
    ULONG                        Flags
)
{
    return STATUS_SUCCESS;
}


#pragma warning(disable : 4333)

//
//  Lookup table that tells how many clear bits (i.e., 0) there are in a byte
//

CONST CCHAR RtlpBitsClearTotal[] =
          { 8,7,7,6,7,6,6,5,7,6,6,5,6,5,5,4,
            7,6,6,5,6,5,5,4,6,5,5,4,5,4,4,3,
            7,6,6,5,6,5,5,4,6,5,5,4,5,4,4,3,
            6,5,5,4,5,4,4,3,5,4,4,3,4,3,3,2,
            7,6,6,5,6,5,5,4,6,5,5,4,5,4,4,3,
            6,5,5,4,5,4,4,3,5,4,4,3,4,3,3,2,
            6,5,5,4,5,4,4,3,5,4,4,3,4,3,3,2,
            5,4,4,3,4,3,3,2,4,3,3,2,3,2,2,1,
            7,6,6,5,6,5,5,4,6,5,5,4,5,4,4,3,
            6,5,5,4,5,4,4,3,5,4,4,3,4,3,3,2,
            6,5,5,4,5,4,4,3,5,4,4,3,4,3,3,2,
            5,4,4,3,4,3,3,2,4,3,3,2,3,2,2,1,
            6,5,5,4,5,4,4,3,5,4,4,3,4,3,3,2,
            5,4,4,3,4,3,3,2,4,3,3,2,3,2,2,1,
            5,4,4,3,4,3,3,2,4,3,3,2,3,2,2,1,
            4,3,3,2,3,2,2,1,3,2,2,1,2,1,1,0 };


ULONG RtlNumberOfSetBitsUlongPtr_k8(
    ULONG_PTR Target
);

ULONG RtlNumberOfSetBitsUlongPtr_k8(
    ULONG_PTR Target
)
{
    unsigned long v1; // eax
    unsigned long v2; // edx
    unsigned long v3; // edx

    v1 = (unsigned char)~Target & 0xFFFFFF00 | RtlpBitsClearTotal[(unsigned char)~Target];
    v2 = ~Target >> 24 & 0xFFFFFF00 | RtlpBitsClearTotal[~Target >> 24];
    v3 = v2 & 0xFFFFFF00 | (unsigned char)v2 + RtlpBitsClearTotal[(unsigned char)~Target >> 16];
    return (unsigned char)v3 & 0xFFFFFF00 | v3 + (v1 & 0xFFFFFF00 | (unsigned char)v1 + RtlpBitsClearTotal[(unsigned char)~Target / 256]);
}

typedef enum _MI_PFN_CACHE_ATTRIBUTE {
    MiNonCached,
    MiCached,
    MiWriteCombined,
    MiNotMapped
} MI_PFN_CACHE_ATTRIBUTE, *PMI_PFN_CACHE_ATTRIBUTE;


//
// Cache control stuff.  Note this may be overridden by deficient hardware
// platforms at startup.
//

MI_PFN_CACHE_ATTRIBUTE MiPlatformCacheAttributes[2 * MmMaximumCacheType] =
{
    //
    // Memory space
    //

    MiNonCached,
    MiCached,
    MiWriteCombined,
    MiCached,
    MiNonCached,
    MiWriteCombined,

    //
    // I/O space
    //

    MiNonCached,
    MiCached,
    MiWriteCombined,
    MiCached,
    MiNonCached,
    MiWriteCombined
};

PMDL MmAllocatePagesForMdlEx_k8(
    PHYSICAL_ADDRESS    LowAddress,
    PHYSICAL_ADDRESS    HighAddress,
    PHYSICAL_ADDRESS    SkipBytes,
    SIZE_T              TotalBytes,
    MEMORY_CACHING_TYPE CacheType,
    ULONG               Flags
);


PMDL MmAllocatePagesForMdlEx_k8(
    PHYSICAL_ADDRESS    LowAddress,
    PHYSICAL_ADDRESS    HighAddress,
    PHYSICAL_ADDRESS    SkipBytes,
    SIZE_T              TotalBytes,
    MEMORY_CACHING_TYPE CacheType,
    ULONG               Flags
)
{
    
    /*
    
    enum _MI_PFN_CACHE_ATTRIBUTE CacheAttribute; // eax
    struct _MDL * v1; // eax

    if( CacheType > 2 ) {
        CacheAttribute = 3;
    } else {
        CacheAttribute = MiPlatformCacheAttributes[CacheType];
    }
    if( (Flags & 0xFFFFFFFC) != 0 ) {
        v1 = 0;
    } else {
//        v1 = MiAllocatePagesForMdl( LowAddress.u.LowPart, HighAddress.u.LowPart, SkipBytes.u.LowPart, TotalBytes, CacheAttribute, Flags );
        v1 = MmAllocatePagesForMdl( LowAddress.u.LowPart, HighAddress.u.LowPart, SkipBytes.u.LowPart, TotalBytes  );
    }
    return v1;
    
    */
    
    return MmAllocatePagesForMdl( LowAddress, HighAddress, SkipBytes, TotalBytes  );    
    
}

BOOLEAN KeTestSpinLock_k8(
    PKSPIN_LOCK SpinLock
);

BOOLEAN KeTestSpinLock_k8(
    PKSPIN_LOCK SpinLock
)
{
    return TRUE;
}


NTSTATUS IoGetDeviceNumaNode_k8(
    PDEVICE_OBJECT Pdo,
    PUSHORT        NodeNumber
);

NTSTATUS IoGetDeviceNumaNode_k8(
    PDEVICE_OBJECT Pdo,
    PUSHORT        NodeNumber
)
{
    return STATUS_SUCCESS;
}

NTSTATUS
ZwQuerySystemInformationEx_k8 (
    SYSTEM_INFORMATION_CLASS SystemInformationClass,
    PVOID InputBuffer,
    ULONG InputBufferLength,
    PVOID SystemInformation,
    ULONG SystemInformationLength,
    ULONG *ReturnLength);
    
NTSTATUS
ZwQuerySystemInformationEx_k8 (
    SYSTEM_INFORMATION_CLASS SystemInformationClass,
    PVOID InputBuffer,
    ULONG InputBufferLength,
    PVOID SystemInformation,
    ULONG SystemInformationLength,
    ULONG *ReturnLength)
{
    return STATUS_SUCCESS;
}


VOID
MmDeleteKernelStack (
    PVOID PointerKernelStack,
    BOOLEAN LargeStack
    );
    
VOID
MmDeleteKernelStack (
    PVOID PointerKernelStack,
    BOOLEAN LargeStack
    )
    {
    return;        
    }


VOID
KeFreeCalloutStack_k8 (
    PVOID Context
);
    
VOID
KeFreeCalloutStack_k8 (
    PVOID Context
)
{
//    MmDeleteKernelStack( *((unsigned char *)Context + 8), *((unsigned char *)Context + 4) );
    ExFreePoolWithTag( Context, 0 );
}


PVOID
KeAllocateCalloutStack_k8 (
    BOOLEAN LargeStack
);

PVOID
KeAllocateCalloutStack_k8 (
    BOOLEAN LargeStack
)
{
    
    void * P; // eax
    unsigned char v2; // ecx
    unsigned long StackFlags; // eax
    void * v1; // eax
    
/*

    P = ExAllocatePoolWithTag( 0, 32, 1666409803 );
    if( P == 0 ) {
        P = 0;
    } else {
        if( (unsigned char)LargeStack != 0 ) {
            StackFlags = 5;
        } else {
            StackFlags = 0;
        }
        v1 = MmCreateKernelStack( StackFlags, 0, 0 );
        *((unsigned char *)P + 8) = v1;
        if( v1 == 0 ) {
            ExFreePoolWithTag( P, 0 );
            P = 0;
        } else {
            *((unsigned char *)P + 4) = v1 & 0xFFFFFF00 | (unsigned char)LargeStack != 0;
            *P = 1801548883;
            *((unsigned char *)P + 12) = 0;
            *((unsigned char *)P + 17) = v2 & 0xFFFFFF00;
            *((unsigned char *)P + 16) = 7;
            *((unsigned char *)P + 18) = 4;
            *((unsigned char *)P + 20) = 1;
            *((unsigned char *)P + 28) = (unsigned char *)P + 16 + 8;
            *((unsigned char *)P + 24) = (unsigned char *)P + 16 + 8;
        }
    }
    return P;

*/

    return STATUS_SUCCESS;

}


VOID
SeCaptureSubjectContextEx_k8 (
    PETHREAD Thread,
    PEPROCESS Process,
    PSECURITY_SUBJECT_CONTEXT SubjectContext
  );


VOID
SeCaptureSubjectContextEx_k8 (
    PETHREAD Thread,
    PEPROCESS Process,
    PSECURITY_SUBJECT_CONTEXT SubjectContext
  )
{
    unsigned char stack_0x7; // [esp+7]
    unsigned char stack_0xB; // [esp+11]
    void * v1; // eax
    void * v2; // eax

/*

    SubjectContext->ProcessAuditId = *(Process[0] + 156);
    if( Thread[0] == 0 ) {
        SubjectContext->ClientToken = 0;
    } else {
        v1 = PsReferenceImpersonationToken( Thread[0], &stack_0xB, &stack_0x7, &SubjectContext->ImpersonationLevel );
        SubjectContext->ClientToken = v1;
    }
    v2 = PsReferencePrimaryToken( Process[0] );
    SubjectContext->PrimaryToken = v2;
    
*/

}


BOOLEAN
SeAccessCheckFromState_k8 (
    PSECURITY_DESCRIPTOR SecurityDescriptor,
    PTOKEN_ACCESS_INFORMATION PrimaryTokenInformation,
    PTOKEN_ACCESS_INFORMATION ClientTokenInformation,
    ACCESS_MASK DesiredAccess,
    ACCESS_MASK PreviouslyGrantedAccess,
    PPRIVILEGE_SET *Privileges,
    PGENERIC_MAPPING GenericMapping,
    KPROCESSOR_MODE AccessMode,
    PACCESS_MASK GrantedAccess,
    PNTSTATUS AccessStatus
    );

BOOLEAN
SeAccessCheckFromState_k8 (
    PSECURITY_DESCRIPTOR SecurityDescriptor,
    PTOKEN_ACCESS_INFORMATION PrimaryTokenInformation,
    PTOKEN_ACCESS_INFORMATION ClientTokenInformation,
    ACCESS_MASK DesiredAccess,
    ACCESS_MASK PreviouslyGrantedAccess,
    PPRIVILEGE_SET *Privileges,
    PGENERIC_MAPPING GenericMapping,
    KPROCESSOR_MODE AccessMode,
    PACCESS_MASK GrantedAccess,
    PNTSTATUS AccessStatus
    )

{
    
/*
    
    struct _TOKEN * local_0x404; // [esp-1028]
    unsigned char v1; // [esp-991]
    struct _TOKEN PrimaryToken; // [esp-988]
    unsigned int local_0xC; // [esp-12]
    struct _TOKEN_ACCESS_INFORMATION * AccessInformation1; // ebx
    unsigned int esp; // esp
    struct _TOKEN * Token; // esi
    struct _TOKEN_ACCESS_INFORMATION * AccessInformation; // edi
    unsigned char v3; // eax
    unsigned int v2; // esp

    local_0xC = __security_cookie ^ (esp - 4 & 0xFFFFFFF8) - 1020;
    local_0x404 = Privileges;
    memset( &v1, 0, 487 );
    memset( &PrimaryToken, 0, 487 );
    SepTokenFromAccessInformation( AccessInformation, Token );
    if( ClientTokenInformation != 0 ) {
        SepTokenFromAccessInformation( AccessInformation1, local_0x404 );
        v2 = (esp - 4 & 0xFFFFFFF8) + 4294966280;
    } else {
        v2 = (esp - 4 & 0xFFFFFFF8) + 4294966272;
    }
    *(v2 + 4294967292) = *(v2 + 20);
    *(v2 + 4294967288) = *(v2 + 28);
    *(v2 + 4294967284) = AccessMode;
    *(v2 + 4294967280) = GenericMapping;
    *(v2 + 4294967276) = *(v2 + 12);
    *(v2 + 4294967272) = PreviouslyGrantedAccess;
    *(v2 + 4294967268) = DesiredAccess;
    *(v2 + 4294967264) = 1;
    *(v2 + 4294967260) = v2 + 32;
    *(v2 + 4294967256) = *(v2 + 16);
    *(v2 + 4294967252) = &code_0x34BF8+0x28;
    v3 = SeAccessCheck( *(v2 + 4294967256), *(v2 + 4294967260), *(v2 + 4294967264), *(v2 + 4294967268), *(v2 + 4294967272), *(v2 + 4294967276), *(v2 + 4294967280), *(v2 + 4294967284), *(v2 + 4294967288), *(v2 + 4294967292) );
    *(v2 + 8) = &code_0x34BF8+0x39;
    __security_check_cookie( *(v2 + 1028) ^ v2 + 12 );
    return v3;

*/

    return 0;

}
    

long __stdcall IoSetIoCompletionEx_k8 (
    PVOID  IoCompletion,
    PVOID  KeyContext,
    PVOID  ApcContext,
    long IoStatus,
    unsigned long IoStatusInformation,
    unsigned char Quota,
    PVOID  MiniPacket
);


long __stdcall IoSetIoCompletionEx_k8 (
    PVOID  IoCompletion,
    PVOID  KeyContext,
    PVOID  ApcContext,
    long IoStatus,
    unsigned long IoStatusInformation,
    unsigned char Quota,
    PVOID  MiniPacket
)
{
    
/*
    
    long v1; // esi

    if( MiniPacket == 0 ) {
        MiniPacket = IopAllocateMiniCompletionPacket( 1, Quota );
        if( MiniPacket == 0 ) {
            v1 = -1073741670;
        } else {
            *((unsigned char *)MiniPacket + 12) = KeyContext;
            *((unsigned char *)MiniPacket + 16) = ApcContext;
            *((unsigned char *)MiniPacket + 20) = IoStatus;
            *((unsigned char *)MiniPacket + 24) = IoStatusInformation;
            KeInsertQueue( IoCompletion, MiniPacket );
            return 0;
        }
    } else {
        *((unsigned char *)MiniPacket + 12) = KeyContext;
        *((unsigned char *)MiniPacket + 16) = ApcContext;
        *((unsigned char *)MiniPacket + 20) = IoStatus;
        *((unsigned char *)MiniPacket + 24) = IoStatusInformation;
        KeInsertQueue( IoCompletion, MiniPacket );
        v1 = 0;
    }
    return v1;

*/

    return STATUS_SUCCESS;

}

VOID
RtlDeleteHashTable_k8 (
    PRTL_DYNAMIC_HASH_TABLE HashTable
    );


VOID
RtlDeleteHashTable_k8 (
    PRTL_DYNAMIC_HASH_TABLE HashTable
    )
{
    
/*
    
    unsigned long v1;
    int v2; // edi
    unsigned long eax; // eax

    if( *(HashTable + 8) < 129 ) {
        eax = *(HashTable + 32);
        if( eax != 0 ) {
            eax = ExFreePoolWithTag( eax, 0 );
        }
    } else {
        v1 = *(HashTable + 32);
        if( v1 != 0 ) {
            v2 = 0;
            while( *(v1 + v2 * 4) != 0 ) {
                ExFreePoolWithTag( *(v1 + v2 * 4), 0 );
                if( v2 > 510 ) {
                    break;
                }
                v2 += 1;
            }
            eax = ExFreePoolWithTag( v1, 0 );
        }
    }
    if( (unsigned char)(*HashTable & 0x1) != 0 ) {
        eax = ExFreePoolWithTag( HashTable, 0 );
    }
    return eax;
    
*/

    return;
    
}


BOOLEAN
RtlCreateHashTable_k8 (
    PRTL_DYNAMIC_HASH_TABLE *HashTable,
    ULONG Shift,
    ULONG Flags
    );
    

BOOLEAN
RtlCreateHashTable_k8 (
    PRTL_DYNAMIC_HASH_TABLE *HashTable,
    ULONG Shift,
    ULONG Flags
    )
{
    
/*
    
    unsigned long v4;
    int v6; // ecx
    unsigned long v5; // edi
    unsigned long v7; // eax
    unsigned long v2; // eax
    unsigned long v1; // edx
    unsigned long v3; // eax

    if( *HashTable == 0 ) {
        v2 = ExAllocatePoolWithTag( 0, 36, 1650545736 );
        *HashTable = v2;
        if( v2 != 0 ) {
            v1 = 1;
        } else {
            goto node_30;
        }
    } else {
        v1 = 0;
    }
    v4 = *HashTable;
    v5 = v4;
    v6 = 9;
    while( v6 != 0 ) {
        *v5 = 0;
        v5 += 4;
        v6 -= 1;
    }
    *(v4 + 12) = 0;
    *v4 = v1 | Flags;
    *(v4 + 8) = 128;
    *(v4 + 16) = 127;
    *(v4 + 4) = Shift;
    v7 = RtlpAllocateSecondLevelDir();
    if( v7 == 0 ) {
        v2 = RtlDeleteHashTable( v4 );
    } else {
        *(v4 + 32) = v7;
        return v7 & 0xFFFFFF00 | 0x1;
    }
    node_30:
    return v2 & 0xFFFFFF00;

*/

    return 0;

}


PRTL_DYNAMIC_HASH_TABLE_ENTRY
RtlGetNextEntryHashTable_k8 (
    PRTL_DYNAMIC_HASH_TABLE HashTable,
    PRTL_DYNAMIC_HASH_TABLE_CONTEXT Context
    );

PRTL_DYNAMIC_HASH_TABLE_ENTRY
RtlGetNextEntryHashTable_k8 (
    PRTL_DYNAMIC_HASH_TABLE HashTable,
    PRTL_DYNAMIC_HASH_TABLE_CONTEXT Context
    )
{
    
/*
    
    unsigned long v1;
    unsigned int v3; // edx
    unsigned int v2; // edx

    v1 = ***(Context + 4);
    if( *Context == v1 ) {
        v1 = 0;
    } else {
        if( *(HashTable + 28) != 0 ) {
            v3 = **(Context + 4);
            while( *(*v3 + 8) == 0 ) {
                if( *Context == **v3 ) {
                    v2 = *v3;
                    v1 = *v3;
                    goto node_21;
                } else {
                    v3 = *v3;
                }
            }
            v2 = v3;
            v1 = *v3;
        } else {
            v2 = **(Context + 4);
        }
        node_21:
        if( *(Context + 8) == *(v1 + 8) ) {
            *(Context + 4) = v2;
        } else {
            return 0;
        }
    }
    return v1;
    
*/

    return 0;
    
}

PRTL_DYNAMIC_HASH_TABLE_ENTRY
RtlLookupEntryHashTable_k8 (
    PRTL_DYNAMIC_HASH_TABLE HashTable,
    ULONG_PTR Signature,
    PRTL_DYNAMIC_HASH_TABLE_CONTEXT Context
    );


PRTL_DYNAMIC_HASH_TABLE_ENTRY
RtlLookupEntryHashTable_k8 (
    PRTL_DYNAMIC_HASH_TABLE HashTable,
    ULONG_PTR Signature,
    PRTL_DYNAMIC_HASH_TABLE_CONTEXT Context
    )
{
    
/*
    
    unsigned long v1;
    unsigned long local_0x10; // [esp-16]
    unsigned long esi; // esi

    if( Context == 0 ) {
        Context = &local_0x10;
    }
    RtlpPopulateContext( Signature, esi, local_0x10 );
    if( **(Context + 4) == *Context ) {
        v1 = 0;
    } else {
        v1 = ~-(Signature != *(**(Context + 4) + 8)) & **(Context + 4);
    }
    return v1;
    
*/

    return 0;
    
}


BOOLEAN
RtlRemoveEntryHashTable_k8 (
    PRTL_DYNAMIC_HASH_TABLE HashTable,
    PRTL_DYNAMIC_HASH_TABLE_ENTRY Entry,
    PRTL_DYNAMIC_HASH_TABLE_CONTEXT Context
    );


BOOLEAN
RtlRemoveEntryHashTable_k8 (
    PRTL_DYNAMIC_HASH_TABLE HashTable,
    PRTL_DYNAMIC_HASH_TABLE_ENTRY Entry,
    PRTL_DYNAMIC_HASH_TABLE_CONTEXT Context
    )
{
    
/*
    
    unsigned long esi; // esi
    unsigned long edi; // edi
    unsigned long v1; // eax

    *(HashTable + 20) += 4294967295;
    if( *(Entry + 4) == *Entry ) {
        *(HashTable + 24) += 4294967295;
    }
    v1 = *(Entry + 4);
    *v1 = *Entry;
    *(*Entry + 4) = v1;
    if( Context != 0 && *Context == 0 ) {
        v1 = RtlpPopulateContext( *(Entry + 8), edi, esi );
    }
    return v1 & 0xFFFFFF00 | 0x1;
    
*/

    return 0;
    
}

    

BOOLEAN
RtlInsertEntryHashTable_k8 (
    PRTL_DYNAMIC_HASH_TABLE HashTable,
    PRTL_DYNAMIC_HASH_TABLE_ENTRY Entry,
    ULONG_PTR Signature,
    PRTL_DYNAMIC_HASH_TABLE_CONTEXT Context
    );


BOOLEAN
RtlInsertEntryHashTable_k8 (
    PRTL_DYNAMIC_HASH_TABLE HashTable,
    PRTL_DYNAMIC_HASH_TABLE_ENTRY Entry,
    ULONG_PTR Signature,
    PRTL_DYNAMIC_HASH_TABLE_CONTEXT Context
    )
{
    
/*
    
    unsigned int local_0x10; // [esp-16]
    unsigned long esi; // esi
    unsigned long edi; // edi

    *(Entry + 8) = Signature;
    *(HashTable + 20) += 1;
    if( Context == 0 ) {
        RtlpPopulateContext( Signature, edi, esi );
        Context = &local_0x10;
    } else if( *Context == 0 ) {
        RtlpPopulateContext( Signature, edi, esi );
    }
    if( *Context == **Context ) {
        *(HashTable + 24) += 1;
    }
    *(Entry + 4) = *(Context + 4);
    *Entry = **(Context + 4);
    *(**(Context + 4) + 4) = Entry;
    **(Context + 4) = Entry;
    return *(Context + 4) & 0xFFFFFF00 | 0x1;

*/

    return 0;

}


VOID
RtlEndEnumerationHashTable_k8 (
    PRTL_DYNAMIC_HASH_TABLE HashTable,
    PRTL_DYNAMIC_HASH_TABLE_ENUMERATOR Enumerator
    );


VOID
RtlEndEnumerationHashTable_k8 (
    PRTL_DYNAMIC_HASH_TABLE HashTable,
    PRTL_DYNAMIC_HASH_TABLE_ENUMERATOR Enumerator
    )
{
    
/*
    
    *(HashTable + 28) += 4294967295;
    if( Enumerator != *Enumerator ) {
        **(Enumerator + 4) = *Enumerator;
        *(*Enumerator + 4) = *(Enumerator + 4);
        if( *(Enumerator + 12) == **(Enumerator + 12) ) {
            *(HashTable + 24) += 4294967295;
        }
    }
    *(Enumerator + 12) = 0;
    return Enumerator;
    
*/

    return;
    
}


PRTL_DYNAMIC_HASH_TABLE_ENTRY
RtlEnumerateEntryHashTable_k8 (
    PRTL_DYNAMIC_HASH_TABLE HashTable,
    PRTL_DYNAMIC_HASH_TABLE_ENUMERATOR Enumerator
    );


PRTL_DYNAMIC_HASH_TABLE_ENTRY
RtlEnumerateEntryHashTable_k8 (
    PRTL_DYNAMIC_HASH_TABLE HashTable,
    PRTL_DYNAMIC_HASH_TABLE_ENUMERATOR Enumerator
    )
{
    
/*
    
    int esp; // esp
    unsigned int v2; // ebx
    unsigned long v5; // eax
    int v1; // esp
    unsigned long v3;
    unsigned long v4;

    v1 = esp - 16;
    v2 = *(Enumerator + 16);
    while( v2 < *(HashTable + 8) ) {
        if( *(Enumerator + 16) == v2 ) {
            v5 = *(Enumerator + 12);
            v5 = Enumerator;
            break;
        } else {
            *(v1 - 4) = &code_0x8F619+0x9;
            v5 = RtlpGetChainHead( v3, v4 );
            v1 += 8;
            break;
        }
        do {
            if( v5 == *v5 ) {
                goto node_61;
            } else {
                v5 = *v5;
            }
        } while( *(v5 + 8) == 0 );
        **(Enumerator + 4) = *Enumerator;
        *(*Enumerator + 4) = *(Enumerator + 4);
        if( v5 != *(Enumerator + 12) ) {
            if( *(Enumerator + 12) == **(Enumerator + 12) ) {
                *(HashTable + 24) += 4294967295;
            }
            if( v5 == *v5 ) {
                *(HashTable + 24) += 1;
            }
        }
        *(Enumerator + 16) = v2;
        *(Enumerator + 12) = v5;
        *Enumerator = *v5;
        *(Enumerator + 4) = v5;
        *(*v5 + 4) = Enumerator;
        *v5 = Enumerator;
        goto node_23;
        node_61:
        v2 += 1;
    }
    v5 = 0;
    node_23:
    return v5;

*/

    return 0;

}


BOOLEAN
RtlInitEnumerationHashTable_k8 (
    PRTL_DYNAMIC_HASH_TABLE HashTable,
    PRTL_DYNAMIC_HASH_TABLE_ENUMERATOR Enumerator
    );


BOOLEAN
RtlInitEnumerationHashTable_k8 (
    PRTL_DYNAMIC_HASH_TABLE HashTable,
    PRTL_DYNAMIC_HASH_TABLE_ENUMERATOR Enumerator
    )
{
    
/*
    
    unsigned int local_0x10; // [esp-16]
    unsigned long esi; // esi
    unsigned long edi; // edi

    RtlpPopulateContext( 0, edi, esi );
    *(HashTable + 28) += 1;
    if( local_0x10 == *local_0x10 ) {
        *(HashTable + 24) += 1;
    }
    *Enumerator = *local_0x10;
    *(Enumerator + 4) = local_0x10;
    *(*local_0x10 + 4) = Enumerator;
    *local_0x10 = Enumerator;
    *(Enumerator + 16) = 0;
    *(Enumerator + 8) = 0;
    *(Enumerator + 12) = local_0x10;
    return Enumerator & 0xFFFFFF00 | 0x1;
    
*/

    return 0;

}


BOOLEAN
RtlContractHashTable_k8 (
    PRTL_DYNAMIC_HASH_TABLE HashTable
    );


BOOLEAN
RtlContractHashTable_k8 (
    PRTL_DYNAMIC_HASH_TABLE HashTable
    )
{
    
/*
    
    unsigned long v7;
    unsigned long eax; // eax
    unsigned long ebx; // ebx
    unsigned long ebp; // ebp
    unsigned long esi; // esi
    unsigned long edi; // edi
    unsigned int v1; // eax
    unsigned long v2; // eax
    unsigned long v3; // eax
    unsigned long v4; // edx
    unsigned long v6; // eax
    unsigned long v5; // eax
    unsigned long v8; // eax

    if( *(HashTable + 8) == 128 || *(HashTable + 28) != 0 ) {
        v8 = eax & 0xFFFFFF00;
    } else {
        if( *(HashTable + 12) == 0 ) {
            *(HashTable + 16) /= 2;
            v1 = *(HashTable + 16);
        } else {
            v1 = *(HashTable + 12) + 4294967295;
        }
        *(HashTable + 12) = v1;
        v2 = RtlpGetChainHead( edi, ebx );
        v3 = RtlpGetChainHead( esi, ebp );
        *(HashTable + 8) += 4294967295;
        if( v2 != *v2 && v3 != *v3 ) {
            *(HashTable + 24) += 4294967295;
        }
        v4 = v3;
        v5 = v4;
        while( v2 != *v2 ) {
            *v2 = **v2;
            *(**v2 + 4) = v2;
            if( v5 != *v4 ) {
                while( *(*v4 + 8) < *(*v2 + 8) ) {
                    if( v3 == **v4 ) {
                        v4 = *v4;
                        v5 = v3;
                        goto node_78;
                    } else {
                        v4 = *v4;
                    }
                }
            }
            v5 = v3;
            node_78:
            **v2 = *v4;
            *(*v2 + 4) = v4;
            *(*v4 + 4) = *v2;
            *v4 = *v2;
        }
        if( (*(HashTable + 8) & 0x7F) == 0 ) {
            v7 = *(HashTable + 32);
            v6 = ExFreePoolWithTag( *(v7 + *(HashTable + 8) / 128 * 4), 0 );
            *(v7 + *(HashTable + 8) / 128 * 4) = 0;
            if( *(HashTable + 8) == 128 ) {
                *(HashTable + 32) = *v7;
                v6 = ExFreePoolWithTag( v7, 0 );
            }
        } else {
            v6 = *(HashTable + 8) / 128;
        }
        v8 = v6 & 0xFFFFFF00 | 0x1;
    }
    return v8;

*/

    return 0;

}


BOOLEAN
RtlExpandHashTable_k8 (
    PRTL_DYNAMIC_HASH_TABLE HashTable
    );


BOOLEAN
RtlExpandHashTable_k8 (
    PRTL_DYNAMIC_HASH_TABLE HashTable
    )
{
    
/*
    
    unsigned int v12;
    unsigned long v1;
    unsigned int v3;
    unsigned int v7;
    unsigned int v8;
    unsigned int v9;
    unsigned long v10;
    unsigned long eax; // eax
    unsigned long ebx; // ebx
    unsigned long edi; // edi
    unsigned long v5; // ecx
    int v2; // eax
    unsigned long v4; // eax
    unsigned long v11; // eax
    unsigned long v6;

    if( *(HashTable + 8) == 65536 || *(HashTable + 28) != 0 ) {
        v11 = eax & 0xFFFFFF00;
    } else {
        if( *(HashTable + 8) == 128 ) {
            v12 = *(HashTable + 32);
            v2 = ExAllocatePoolWithTag( 0, 2048, 1650545736 );
            if( v2 != 0 ) {
                _memset( v2, 0, 2048 );
                *v2 = v12;
                *(HashTable + 32) = v2;
                goto node_31;
            }
        } else {
            node_31:
            v1 = *(HashTable + 32);
            v2 = *(v1 + *(HashTable + 8) / 128 * 4);
            if( v2 == 0 ) {
                v2 = RtlpAllocateSecondLevelDir();
                if( v2 != 0 ) {
                    *(v1 + *(HashTable + 8) / 128 * 4) = v2;
                    goto node_49;
                } else if( *(HashTable + 8) == 128 ) {
                    *(HashTable + 32) = *v1;
                    v2 = ExFreePoolWithTag( v1, 0 );
                }
            } else {
                node_49:
                v3 = *(HashTable + 12);
                *(HashTable + 8) += 1;
                v4 = RtlpGetChainHead( edi, ebx );
                *(HashTable + 12) = v3 + 1;
                if( v4 != *v4 ) {
                    HashTable = v4;
                    v5 = HashTable;
                    while( 1 ) {
                        v7 = *(*v5 + 8) >> (*(v6 + 4) & 0x1F) & (*(v6 + 16) + *(v6 + 16) | 0x1);
                        if( *(v6 + 8) + 4294967295 == v7 ) {
                            **(*v5 + 4) = **v5;
                            *(**v5 + 4) = *(*v5 + 4);
                            v8 = *(v2 + (*(v6 + 8) & 0x7F) * 8 + 4);
                            **v5 = v2 + (*(v6 + 8) & 0x7F) * 8;
                            *(*v5 + 4) = v8;
                            *v8 = *v5;
                            *(v2 + (*(v6 + 8) & 0x7F) * 8 + 4) = *v5;
                        } else {
                            HashTable = *v5;
                        }
                        if( v4 == *v6 ) {
                            break;
                        }
                        v5 = v6;
                    }
                    v9 = *(v2 + (*(v6 + 8) & 0x7F) * 8);
                    if( v2 + (*(v6 + 8) & 0x7F) * 8 != v9 ) {
                        *(v6 + 24) += 1;
                    }
                    if( v4 == *v4 ) {
                        *(v6 + 24) += 4294967295;
                    }
                }
                if( *(HashTable + 16) + 1 == *(HashTable + 12) ) {
                    v10 = *(HashTable + 16) + *(HashTable + 16) | 0x1;
                    *(HashTable + 12) = 0;
                    *(HashTable + 16) = v10;
                } else {
                    v10 = *(HashTable + 16);
                }
                return v10 & 0xFFFFFF00 | 0x1;
            }
        }
        v11 = v2 & 0xFFFFFF00;
    }
    return v11;

*/

    return 0;

}

///////////////////////////////////////////////////////////////////

 

 

Edited by Damnation
Posted

@Mov AX, 0xDEAD

for functions like ZwAlpcCancelMessage and others

	NTSYSCALLAPI NTSTATUS NTAPI ZwAlpcCancelMessage(_In_ HANDLE PortHandle,
	_In_ ULONG Flags,
	_In_ PALPC_CONTEXT_ATTR MessageContext 
	);
	 
	void __stdcall _ZwAlpcCancelMessage@12( int p1, int p2, int p3 )
{
    __asm.pushfd();
    _KiSystemService();
}
	

in asm

	 void __stdcall _ZwAlpcCancelMessage@12( int p1, int p2, int p3 )
 {
    mov eax, 0x14
    lea edx, [p1]
    pushfd
    push 0x8
    call _KiSystemService; void __cdecl( void )
    ret 0xC
 }
	

how should we implement this?

should we take KiSystemService from trap.asm?

Posted (edited)

OK, all needed functions added for ndis6, although most are stubbed right now.


edit: forgot NtQuerySystemInformationEx

Quote

 

///////////////////////////////////////////////////////////////////
////////////////////////////// ndis6 //////////////////////////////
///////////////////////////////////////////////////////////////////


struct _EXCEPTION_REGISTRATION_RECORD
{
    struct _EXCEPTION_REGISTRATION_RECORD *Next;
    enum _EXCEPTION_DISPOSITION  ( *Handler)(struct _EXCEPTION_RECORD *,void *,struct _CONTEXT *,void *);
} EXCEPTION_REGISTRATION_RECORD, *PEXCEPTION_REGISTRATION_RECORD;

struct _EH_EXCEPTION_REGISTRATION_RECORD
{
    void *SavedESP;
    struct _EXCEPTION_POINTERS *ExceptionPointers;
    struct _EXCEPTION_REGISTRATION_RECORD SubRecord;
    unsigned int EncodedScopeTable;
    unsigned long TryLevel;
} EH_EXCEPTION_REGISTRATION_RECORD, *PEH_EXCEPTION_REGISTRATION_RECORD;

NTSTATUS
NtTraceControl_k8 (
    ULONG FunctionCode,
    PVOID InBuffer,
    ULONG InBufferLen,
    PVOID OutBuffer,
    ULONG OutBufferLen,
    ULONG *ReturnSize);
    
NTSTATUS
NtTraceControl_k8 (
    ULONG FunctionCode,
    PVOID InBuffer,
    ULONG InBufferLen,
    PVOID OutBuffer,
    ULONG OutBufferLen,
    ULONG *ReturnSize)
{
    
    
/*
    
//    unsigned int ReturnSize; // [esp-52]
    unsigned int LocalReturnLength; // [esp-36]
    struct _EH_EXCEPTION_REGISTRATION_RECORD ExceptionRegistration; // [esp-28]
    unsigned int local_0x4; // [esp-4]
    struct _EH_EXCEPTION_REGISTRATION_RECORD esp; // esp
    unsigned int ebp; // ebp
    void * fs; // fs
    unsigned long * v3; // eax
    unsigned long NumberOfBytes; // eax
    struct _GUID * RealtimeConnectContext; // eax
    long v1; // eax
    struct _EH_EXCEPTION_REGISTRATION_RECORD v2; // esp

/*

    local_0x4 = 40;
    ExceptionRegistration.TryLevel = &scope_table_365;
    ExceptionRegistration.ScopeTable = &NtTraceControl+0xC;
    ExceptionRegistration.Handler = &_except_handler4;
    ExceptionRegistration.Next = *fs;
    local_0x4 = ebp;
    ExceptionRegistration.TryLevel = &scope_table_365 ^ __security_cookie;
    ExceptionRegistration.SavedEsp = esp.SavedEsp - 76;
    ExceptionRegistration.TryLevel = 4294967294;
    ExceptionRegistration.ScopeTable = &scope_table_365 ^ __security_cookie;
    *fs = &ExceptionRegistration.Next;
    RealtimeConnectContext = 0;
    LocalReturnLength = 0;
    if( *(*((unsigned char *)fs + 292) + 231) == 0 ) {
        node_19:
        if( InBufferLen == 0 && OutBufferLen == 0 ) {
            RealtimeConnectContext = 0;
        } else {
            if( InBufferLen <= OutBufferLen ) {
                NumberOfBytes = OutBufferLen;
            } else {
                NumberOfBytes = InBufferLen;
            }
            RealtimeConnectContext = ExAllocatePoolWithQuotaTag( 9, NumberOfBytes, 1350005829 );
            if( RealtimeConnectContext == 0 ) {
                v1 = -1073741801;
                v2.SavedEsp = esp.SavedEsp + 4294967220;
                if( RealtimeConnectContext != 0 ) {
                    *(v2.SavedEsp + 4294967292) = 0;
                    *(v2.SavedEsp + 4294967288) = RealtimeConnectContext;
                    *(v2.SavedEsp + 4294967284) = &code_0x1EEF93;
                    ExFreePoolWithTag( *(v2.SavedEsp + 4294967288), *(v2.SavedEsp + 4294967292) );
                }
                *(v2.SavedEsp + 4294967292) = &code_0x1EEF93+0x7;
                *fs = ExceptionRegistration.Next;
                return v1;
            } else if( InBuffer != 0 ) {
                memcpy( RealtimeConnectContext, InBuffer, InBufferLen );
            }
        }
        if( FunctionCode < 18 ) {
            if( FunctionCode != 17 ) {
                if( FunctionCode < 14 ) {
                    if( FunctionCode != 13 ) {
                        if( FunctionCode != 0 ) {
                            if( FunctionCode > 5 ) {
                                if( FunctionCode != 11 ) {
                                    if( FunctionCode == 12 ) {
                                        if( InBufferLen == 16 && OutBufferLen == 16 ) {
                                            EtwpCreateActivityId( RealtimeConnectContext );
                                            LocalReturnLength = 16;
                                            v1 = 0;
                                            v2.SavedEsp = esp.SavedEsp + 4294967220;
                                            goto node_231;
                                        } else {
                                            goto node_167;
                                        }
                                    }
                                } else if( InBufferLen == 32 && OutBufferLen == 32 ) {
                                    v1 = EtwpRealtimeConnect( RealtimeConnectContext );
                                    LocalReturnLength = 32;
                                    v2.SavedEsp = esp.SavedEsp + 4294967220;
                                    goto node_231;
                                } else {
                                    goto node_167;
                                }
                            } else {
                                if( InBufferLen < 176 || OutBufferLen < 176 ) {
                                    v1 = -1073741306;
                                } else {
                                    if( RealtimeConnectContext == 0 ) {
                                        v1 = -1073741811;
                                    } else if( RealtimeConnectContext->Data1 < 176 ) {
                                        v1 = -1073741306;
                                    } else {
                                        v1 = ((RealtimeConnectContext[2].Data4[4] & 0x20000) != 0 & 0x3FFFFFF3) + 3221225485;
                                    }
                                    if( v1 >= 0 ) {
                                        if( RealtimeConnectContext->Data1 > InBufferLen ) {
                                            v1 = -1073741306;
                                            v2.SavedEsp = esp.SavedEsp + 4294967220;
                                            goto node_231;
                                        } else {
                                            v1 = 0;
                                        }
                                    }
                                }
                                if( v1 < 0 ) {
                                    v2.SavedEsp = esp.SavedEsp + 4294967220;
                                    goto node_231;
                                } else {
                                    switch( FunctionCode ) {
                                        case 1: {
                                            v1 = EtwpStartTrace( RealtimeConnectContext );
                                            break;
                                        }
                                        case 2: {
                                            v1 = EtwpStopTrace( RealtimeConnectContext, 0 );
                                            break;
                                        }
                                        case 3: {
                                            v1 = EtwpQueryTrace( RealtimeConnectContext );
                                            break;
                                        }
                                        case 4: {
                                            v1 = EtwpUpdateTrace( RealtimeConnectContext );
                                            break;
                                        }
                                        case 5: {
                                            v1 = EtwpFlushTrace( RealtimeConnectContext );
                                            break;
                                        }
                                    }
                                    LocalReturnLength = 176;
                                    v2.SavedEsp = esp.SavedEsp + 4294967220;
                                    goto node_231;
                                }
                            }
                        }
                    } else if( InBufferLen == 48 && OutBufferLen == 0 ) {
                        v1 = WdiDispatchControl( __security_cookie ^ &local_0x4 );
                        v2.SavedEsp = esp.SavedEsp + 4294967224;
                        goto node_231;
                    } else {
                        goto node_167;
                    }
                } else if( FunctionCode != 14 ) {
                    if( FunctionCode != 15 ) {
                        if( FunctionCode == 16 ) {
                            if( InBufferLen == 0 && OutBufferLen < 65537 ) {
                                v1 = EtwpReceiveNotification( RealtimeConnectContext, OutBufferLen, &LocalReturnLength );
                                v2.SavedEsp = esp.SavedEsp + 4294967220;
                                goto node_231;
                            } else {
                                goto node_167;
                            }
                        }
                    } else if( InBufferLen == 160 && OutBufferLen == 160 ) {
                        v1 = EtwpRegisterUMGuid( RealtimeConnectContext );
                        LocalReturnLength = 160;
                        v2.SavedEsp = esp.SavedEsp + 4294967220;
                        goto node_231;
                    } else {
                        goto node_167;
                    }
                } else if( InBufferLen == 8 && OutBufferLen == 0 ) {
                    v1 = EtwpRealtimeDisconnectConsumer( RealtimeConnectContext->Data2, __security_cookie ^ &local_0x4 );
                    v2.SavedEsp = esp.SavedEsp + 4294967224;
                    goto node_231;
                } else {
                    goto node_167;
                }
            } else if( InBufferLen < 72 || OutBufferLen != 72 && OutBufferLen != 0 || InBufferLen != RealtimeConnectContext->Data2 ) {
                goto node_167;
            } else {
                if( RealtimeConnectContext->Data1 == 3 ) {
                    v1 = EtwpEnableGuid( 1, __security_cookie ^ &local_0x4 );
                    v2.SavedEsp = esp.SavedEsp + 4294967224;
                    goto node_231;
                } else {
                    v1 = EtwpNotifyGuid( __security_cookie ^ &local_0x4 );
                    LocalReturnLength = OutBufferLen;
                    v2.SavedEsp = esp.SavedEsp + 4294967224;
                    goto node_231;
                }
            }
        } else if( FunctionCode != 18 ) {
            if( FunctionCode != 19 ) {
                if( FunctionCode != 20 ) {
                    if( FunctionCode == 21 ) {
                        LocalReturnLength = OutBufferLen;
                        v1 = EtwpGetTraceGuidList( RealtimeConnectContext, &LocalReturnLength );
                        v2.SavedEsp = esp.SavedEsp + 4294967220;
                        goto node_231;
                    } else if( FunctionCode != 22 ) {
                        if( FunctionCode == 23 ) {
                            LocalReturnLength = OutBufferLen;
                            v1 = EtwpEnumerateTraceGuids( RealtimeConnectContext, &LocalReturnLength );
                            v2.SavedEsp = esp.SavedEsp + 4294967220;
                            goto node_231;
                        } else if( FunctionCode == 24 ) {
                            if( InBufferLen != 0 || OutBufferLen != 0 ) {
                                goto node_167;
                            } else if( EtwpSecurityProviderPID != 0 ) {
                                v1 = -1073741790;
                                v2.SavedEsp = esp.SavedEsp + 4294967220;
                                goto node_231;
                            } else {
                                EtwpSecurityProviderPID = *(*((unsigned char *)fs + 292) + 524);
                                v1 = 0;
                                v2.SavedEsp = esp.SavedEsp + 4294967220;
                                goto node_231;
                            }
                        }
                    } else if( InBufferLen == 16 ) {
                        LocalReturnLength = OutBufferLen;
                        v1 = EtwpGetTraceGuidInfo( RealtimeConnectContext, RealtimeConnectContext, &LocalReturnLength );
                        v2.SavedEsp = esp.SavedEsp + 4294967220;
                        goto node_231;
                    } else {
                        goto node_167;
                    }
                } else if( InBufferLen == 0 && OutBufferLen == 0 ) {
                    v1 = WdiUpdateSem();
                    v2.SavedEsp = esp.SavedEsp + 4294967220;
                    goto node_231;
                } else {
                    goto node_167;
                }
            } else if( InBufferLen == 8 && OutBufferLen > 71 ) {
                v1 = EtwpReceiveReplyDataBlock( RealtimeConnectContext, OutBufferLen, &ReturnSize );
                LocalReturnLength = ReturnSize;
                v2.SavedEsp = esp.SavedEsp + 4294967220;
                goto node_231;
            } else {
                goto node_167;
            }
        } else if( InBufferLen > 71 && InBufferLen == RealtimeConnectContext->Data2 ) {
            RealtimeConnectContext[2].Data2 = *(*((unsigned char *)fs + 292) + 524);
            v1 = EtwpSendReplyDataBlock( __security_cookie ^ &local_0x4 );
            v2.SavedEsp = esp.SavedEsp + 4294967224;
            goto node_231;
        } else {
            goto node_167;
        }
        v1 = -1073741808;
        v2.SavedEsp = esp.SavedEsp + 4294967220;
        goto node_231;
        node_167:
        v1 = -1073741811;
        v2.SavedEsp = esp.SavedEsp + 4294967220;
        node_231:
        if( v1 >= 0 ) {
            if( LocalReturnLength != 0 ) {
                *(v2.SavedEsp + 4294967292) = LocalReturnLength;
                *(v2.SavedEsp + 4294967288) = RealtimeConnectContext;
                *(v2.SavedEsp + 4294967284) = OutBuffer;
                *(v2.SavedEsp + 4294967280) = &code_0x1EEF1D+0xC;
                memcpy( *(v2.SavedEsp + 4294967284), *(v2.SavedEsp + 4294967288), *(v2.SavedEsp + 4294967292) );
            }
            ReturnLength[0] = LocalReturnLength;
        }
        if( v1 == -1073741789 && (FunctionCode == 16 || FunctionCode == 21 || FunctionCode == 22) || FunctionCode == 23 || FunctionCode == 19 ) {
            ReturnLength[0] = LocalReturnLength;
        }
    } else {
        if( InBuffer == 0 ) {
            InBufferLen = 0;
        } else if( InBufferLen != 0 && (InBufferLen + InBuffer > MmUserProbeAddress || InBufferLen + InBuffer < InBuffer) ) {
            *MmUserProbeAddress = 0;
        }
        if( OutBuffer != 0 ) {
            ProbeForWrite( OutBuffer, OutBufferLen, 1 );
        } else {
            OutBufferLen = 0;
        }
        if( ReturnLength == 0 ) {
            v1 = -1073741811;
            v2.SavedEsp = esp.SavedEsp + 4294967220;
        } else {
            if( ReturnLength >= MmUserProbeAddress ) {
                v3 = MmUserProbeAddress;
            } else {
                v3 = ReturnLength;
            }
            v3[0] = v3[0];
            goto node_19;
        }
    }
    if( RealtimeConnectContext != 0 ) {
        *(v2.SavedEsp + 4294967292) = 0;
        *(v2.SavedEsp + 4294967288) = RealtimeConnectContext;
        *(v2.SavedEsp + 4294967284) = &code_0x1EEF93;
        ExFreePoolWithTag( *(v2.SavedEsp + 4294967288), *(v2.SavedEsp + 4294967292) );
    }
    *(v2.SavedEsp + 4294967292) = &code_0x1EEF93+0x7;
    *fs = ExceptionRegistration.Next;
    return v1;
    
//    */
    

    return STATUS_SUCCESS;
    
}


PVOID KeRegisterProcessorChangeCallback_k8(
    PPROCESSOR_CALLBACK_FUNCTION CallbackFunction,
    PVOID                        CallbackContext,
    ULONG                        Flags
);

PVOID KeRegisterProcessorChangeCallback_k8(
    PPROCESSOR_CALLBACK_FUNCTION CallbackFunction,
    PVOID                        CallbackContext,
    ULONG                        Flags
)
{
    return STATUS_SUCCESS;
}


#pragma warning(disable : 4333)

//
//  Lookup table that tells how many clear bits (i.e., 0) there are in a byte
//

CONST CCHAR RtlpBitsClearTotal[] =
          { 8,7,7,6,7,6,6,5,7,6,6,5,6,5,5,4,
            7,6,6,5,6,5,5,4,6,5,5,4,5,4,4,3,
            7,6,6,5,6,5,5,4,6,5,5,4,5,4,4,3,
            6,5,5,4,5,4,4,3,5,4,4,3,4,3,3,2,
            7,6,6,5,6,5,5,4,6,5,5,4,5,4,4,3,
            6,5,5,4,5,4,4,3,5,4,4,3,4,3,3,2,
            6,5,5,4,5,4,4,3,5,4,4,3,4,3,3,2,
            5,4,4,3,4,3,3,2,4,3,3,2,3,2,2,1,
            7,6,6,5,6,5,5,4,6,5,5,4,5,4,4,3,
            6,5,5,4,5,4,4,3,5,4,4,3,4,3,3,2,
            6,5,5,4,5,4,4,3,5,4,4,3,4,3,3,2,
            5,4,4,3,4,3,3,2,4,3,3,2,3,2,2,1,
            6,5,5,4,5,4,4,3,5,4,4,3,4,3,3,2,
            5,4,4,3,4,3,3,2,4,3,3,2,3,2,2,1,
            5,4,4,3,4,3,3,2,4,3,3,2,3,2,2,1,
            4,3,3,2,3,2,2,1,3,2,2,1,2,1,1,0 };


ULONG RtlNumberOfSetBitsUlongPtr_k8(
    ULONG_PTR Target
);

ULONG RtlNumberOfSetBitsUlongPtr_k8(
    ULONG_PTR Target
)
{
    unsigned long v1; // eax
    unsigned long v2; // edx
    unsigned long v3; // edx

    v1 = (unsigned char)~Target & 0xFFFFFF00 | RtlpBitsClearTotal[(unsigned char)~Target];
    v2 = ~Target >> 24 & 0xFFFFFF00 | RtlpBitsClearTotal[~Target >> 24];
    v3 = v2 & 0xFFFFFF00 | (unsigned char)v2 + RtlpBitsClearTotal[(unsigned char)~Target >> 16];
    return (unsigned char)v3 & 0xFFFFFF00 | v3 + (v1 & 0xFFFFFF00 | (unsigned char)v1 + RtlpBitsClearTotal[(unsigned char)~Target / 256]);
}

typedef enum _MI_PFN_CACHE_ATTRIBUTE {
    MiNonCached,
    MiCached,
    MiWriteCombined,
    MiNotMapped
} MI_PFN_CACHE_ATTRIBUTE, *PMI_PFN_CACHE_ATTRIBUTE;


//
// Cache control stuff.  Note this may be overridden by deficient hardware
// platforms at startup.
//

MI_PFN_CACHE_ATTRIBUTE MiPlatformCacheAttributes[2 * MmMaximumCacheType] =
{
    //
    // Memory space
    //

    MiNonCached,
    MiCached,
    MiWriteCombined,
    MiCached,
    MiNonCached,
    MiWriteCombined,

    //
    // I/O space
    //

    MiNonCached,
    MiCached,
    MiWriteCombined,
    MiCached,
    MiNonCached,
    MiWriteCombined
};

PMDL MmAllocatePagesForMdlEx_k8(
    PHYSICAL_ADDRESS    LowAddress,
    PHYSICAL_ADDRESS    HighAddress,
    PHYSICAL_ADDRESS    SkipBytes,
    SIZE_T              TotalBytes,
    MEMORY_CACHING_TYPE CacheType,
    ULONG               Flags
);


PMDL MmAllocatePagesForMdlEx_k8(
    PHYSICAL_ADDRESS    LowAddress,
    PHYSICAL_ADDRESS    HighAddress,
    PHYSICAL_ADDRESS    SkipBytes,
    SIZE_T              TotalBytes,
    MEMORY_CACHING_TYPE CacheType,
    ULONG               Flags
)
{
    
    /*
    
    enum _MI_PFN_CACHE_ATTRIBUTE CacheAttribute; // eax
    struct _MDL * v1; // eax

    if( CacheType > 2 ) {
        CacheAttribute = 3;
    } else {
        CacheAttribute = MiPlatformCacheAttributes[CacheType];
    }
    if( (Flags & 0xFFFFFFFC) != 0 ) {
        v1 = 0;
    } else {
//        v1 = MiAllocatePagesForMdl( LowAddress.u.LowPart, HighAddress.u.LowPart, SkipBytes.u.LowPart, TotalBytes, CacheAttribute, Flags );
        v1 = MmAllocatePagesForMdl( LowAddress.u.LowPart, HighAddress.u.LowPart, SkipBytes.u.LowPart, TotalBytes  );
    }
    return v1;
    
    */
    
    return MmAllocatePagesForMdl( LowAddress, HighAddress, SkipBytes, TotalBytes  );    
    
}

BOOLEAN KeTestSpinLock_k8(
    PKSPIN_LOCK SpinLock
);

BOOLEAN KeTestSpinLock_k8(
    PKSPIN_LOCK SpinLock
)
{
    return TRUE;
}


NTSTATUS IoGetDeviceNumaNode_k8(
    PDEVICE_OBJECT Pdo,
    PUSHORT        NodeNumber
);

NTSTATUS IoGetDeviceNumaNode_k8(
    PDEVICE_OBJECT Pdo,
    PUSHORT        NodeNumber
)
{
    return STATUS_SUCCESS;
}

NTSTATUS
ZwQuerySystemInformationEx_k8 (
    SYSTEM_INFORMATION_CLASS SystemInformationClass,
    PVOID InputBuffer,
    ULONG InputBufferLength,
    PVOID SystemInformation,
    ULONG SystemInformationLength,
    ULONG *ReturnLength);
    
NTSTATUS
ZwQuerySystemInformationEx_k8 (
    SYSTEM_INFORMATION_CLASS SystemInformationClass,
    PVOID InputBuffer,
    ULONG InputBufferLength,
    PVOID SystemInformation,
    ULONG SystemInformationLength,
    ULONG *ReturnLength)
{
    return STATUS_SUCCESS;
}


VOID
MmDeleteKernelStack (
    PVOID PointerKernelStack,
    BOOLEAN LargeStack
    );
    
VOID
MmDeleteKernelStack (
    PVOID PointerKernelStack,
    BOOLEAN LargeStack
    )
{

    return;        
}


VOID
KeFreeCalloutStack_k8 (
    PVOID Context
);
    
VOID
KeFreeCalloutStack_k8 (
    PVOID Context
)
{
//    MmDeleteKernelStack( *((unsigned char *)Context + 8), *((unsigned char *)Context + 4) );
    ExFreePoolWithTag( Context, 0 );
}


PVOID
KeAllocateCalloutStack_k8 (
    BOOLEAN LargeStack
);

PVOID
KeAllocateCalloutStack_k8 (
    BOOLEAN LargeStack
)
{
    
    void * P; // eax
    unsigned char v2; // ecx
    unsigned long StackFlags; // eax
    void * v1; // eax
    
/*

    P = ExAllocatePoolWithTag( 0, 32, 1666409803 );
    if( P == 0 ) {
        P = 0;
    } else {
        if( (unsigned char)LargeStack != 0 ) {
            StackFlags = 5;
        } else {
            StackFlags = 0;
        }
        v1 = MmCreateKernelStack( StackFlags, 0, 0 );
        *((unsigned char *)P + 8) = v1;
        if( v1 == 0 ) {
            ExFreePoolWithTag( P, 0 );
            P = 0;
        } else {
            *((unsigned char *)P + 4) = v1 & 0xFFFFFF00 | (unsigned char)LargeStack != 0;
            *P = 1801548883;
            *((unsigned char *)P + 12) = 0;
            *((unsigned char *)P + 17) = v2 & 0xFFFFFF00;
            *((unsigned char *)P + 16) = 7;
            *((unsigned char *)P + 18) = 4;
            *((unsigned char *)P + 20) = 1;
            *((unsigned char *)P + 28) = (unsigned char *)P + 16 + 8;
            *((unsigned char *)P + 24) = (unsigned char *)P + 16 + 8;
        }
    }
    return P;

*/

    return STATUS_SUCCESS;

}


VOID
SeCaptureSubjectContextEx_k8 (
    PETHREAD Thread,
    PEPROCESS Process,
    PSECURITY_SUBJECT_CONTEXT SubjectContext
  );


VOID
SeCaptureSubjectContextEx_k8 (
    PETHREAD Thread,
    PEPROCESS Process,
    PSECURITY_SUBJECT_CONTEXT SubjectContext
  )
{
    unsigned char stack_0x7; // [esp+7]
    unsigned char stack_0xB; // [esp+11]
    void * v1; // eax
    void * v2; // eax

/*

    SubjectContext->ProcessAuditId = *(Process[0] + 156);
    if( Thread[0] == 0 ) {
        SubjectContext->ClientToken = 0;
    } else {
        v1 = PsReferenceImpersonationToken( Thread[0], &stack_0xB, &stack_0x7, &SubjectContext->ImpersonationLevel );
        SubjectContext->ClientToken = v1;
    }
    v2 = PsReferencePrimaryToken( Process[0] );
    SubjectContext->PrimaryToken = v2;
    
*/

}


BOOLEAN
SeAccessCheckFromState_k8 (
    PSECURITY_DESCRIPTOR SecurityDescriptor,
    PTOKEN_ACCESS_INFORMATION PrimaryTokenInformation,
    PTOKEN_ACCESS_INFORMATION ClientTokenInformation,
    ACCESS_MASK DesiredAccess,
    ACCESS_MASK PreviouslyGrantedAccess,
    PPRIVILEGE_SET *Privileges,
    PGENERIC_MAPPING GenericMapping,
    KPROCESSOR_MODE AccessMode,
    PACCESS_MASK GrantedAccess,
    PNTSTATUS AccessStatus
    );

BOOLEAN
SeAccessCheckFromState_k8 (
    PSECURITY_DESCRIPTOR SecurityDescriptor,
    PTOKEN_ACCESS_INFORMATION PrimaryTokenInformation,
    PTOKEN_ACCESS_INFORMATION ClientTokenInformation,
    ACCESS_MASK DesiredAccess,
    ACCESS_MASK PreviouslyGrantedAccess,
    PPRIVILEGE_SET *Privileges,
    PGENERIC_MAPPING GenericMapping,
    KPROCESSOR_MODE AccessMode,
    PACCESS_MASK GrantedAccess,
    PNTSTATUS AccessStatus
    )

{
    
/*
    
    struct _TOKEN * local_0x404; // [esp-1028]
    unsigned char v1; // [esp-991]
    struct _TOKEN PrimaryToken; // [esp-988]
    unsigned int local_0xC; // [esp-12]
    struct _TOKEN_ACCESS_INFORMATION * AccessInformation1; // ebx
    unsigned int esp; // esp
    struct _TOKEN * Token; // esi
    struct _TOKEN_ACCESS_INFORMATION * AccessInformation; // edi
    unsigned char v3; // eax
    unsigned int v2; // esp

    local_0xC = __security_cookie ^ (esp - 4 & 0xFFFFFFF8) - 1020;
    local_0x404 = Privileges;
    memset( &v1, 0, 487 );
    memset( &PrimaryToken, 0, 487 );
    SepTokenFromAccessInformation( AccessInformation, Token );
    if( ClientTokenInformation != 0 ) {
        SepTokenFromAccessInformation( AccessInformation1, local_0x404 );
        v2 = (esp - 4 & 0xFFFFFFF8) + 4294966280;
    } else {
        v2 = (esp - 4 & 0xFFFFFFF8) + 4294966272;
    }
    *(v2 + 4294967292) = *(v2 + 20);
    *(v2 + 4294967288) = *(v2 + 28);
    *(v2 + 4294967284) = AccessMode;
    *(v2 + 4294967280) = GenericMapping;
    *(v2 + 4294967276) = *(v2 + 12);
    *(v2 + 4294967272) = PreviouslyGrantedAccess;
    *(v2 + 4294967268) = DesiredAccess;
    *(v2 + 4294967264) = 1;
    *(v2 + 4294967260) = v2 + 32;
    *(v2 + 4294967256) = *(v2 + 16);
    *(v2 + 4294967252) = &code_0x34BF8+0x28;
    v3 = SeAccessCheck( *(v2 + 4294967256), *(v2 + 4294967260), *(v2 + 4294967264), *(v2 + 4294967268), *(v2 + 4294967272), *(v2 + 4294967276), *(v2 + 4294967280), *(v2 + 4294967284), *(v2 + 4294967288), *(v2 + 4294967292) );
    *(v2 + 8) = &code_0x34BF8+0x39;
    __security_check_cookie( *(v2 + 1028) ^ v2 + 12 );
    return v3;

*/

    return 0;

}
    

long __stdcall IoSetIoCompletionEx_k8 (
    PVOID  IoCompletion,
    PVOID  KeyContext,
    PVOID  ApcContext,
    long IoStatus,
    unsigned long IoStatusInformation,
    unsigned char Quota,
    PVOID  MiniPacket
);


long __stdcall IoSetIoCompletionEx_k8 (
    PVOID  IoCompletion,
    PVOID  KeyContext,
    PVOID  ApcContext,
    long IoStatus,
    unsigned long IoStatusInformation,
    unsigned char Quota,
    PVOID  MiniPacket
)
{
    
/*
    
    long v1; // esi

    if( MiniPacket == 0 ) {
        MiniPacket = IopAllocateMiniCompletionPacket( 1, Quota );
        if( MiniPacket == 0 ) {
            v1 = -1073741670;
        } else {
            *((unsigned char *)MiniPacket + 12) = KeyContext;
            *((unsigned char *)MiniPacket + 16) = ApcContext;
            *((unsigned char *)MiniPacket + 20) = IoStatus;
            *((unsigned char *)MiniPacket + 24) = IoStatusInformation;
            KeInsertQueue( IoCompletion, MiniPacket );
            return 0;
        }
    } else {
        *((unsigned char *)MiniPacket + 12) = KeyContext;
        *((unsigned char *)MiniPacket + 16) = ApcContext;
        *((unsigned char *)MiniPacket + 20) = IoStatus;
        *((unsigned char *)MiniPacket + 24) = IoStatusInformation;
        KeInsertQueue( IoCompletion, MiniPacket );
        v1 = 0;
    }
    return v1;

*/

    return STATUS_SUCCESS;

}

VOID
RtlDeleteHashTable_k8 (
    PRTL_DYNAMIC_HASH_TABLE HashTable
    );


VOID
RtlDeleteHashTable_k8 (
    PRTL_DYNAMIC_HASH_TABLE HashTable
    )
{
    
/*
    
    unsigned long v1;
    int v2; // edi
    unsigned long eax; // eax

    if( *(HashTable + 8) < 129 ) {
        eax = *(HashTable + 32);
        if( eax != 0 ) {
            eax = ExFreePoolWithTag( eax, 0 );
        }
    } else {
        v1 = *(HashTable + 32);
        if( v1 != 0 ) {
            v2 = 0;
            while( *(v1 + v2 * 4) != 0 ) {
                ExFreePoolWithTag( *(v1 + v2 * 4), 0 );
                if( v2 > 510 ) {
                    break;
                }
                v2 += 1;
            }
            eax = ExFreePoolWithTag( v1, 0 );
        }
    }
    if( (unsigned char)(*HashTable & 0x1) != 0 ) {
        eax = ExFreePoolWithTag( HashTable, 0 );
    }
    return eax;
    
*/

    return;
    
}


BOOLEAN
RtlCreateHashTable_k8 (
    PRTL_DYNAMIC_HASH_TABLE *HashTable,
    ULONG Shift,
    ULONG Flags
    );
    

BOOLEAN
RtlCreateHashTable_k8 (
    PRTL_DYNAMIC_HASH_TABLE *HashTable,
    ULONG Shift,
    ULONG Flags
    )
{
    
/*
    
    unsigned long v4;
    int v6; // ecx
    unsigned long v5; // edi
    unsigned long v7; // eax
    unsigned long v2; // eax
    unsigned long v1; // edx
    unsigned long v3; // eax

    if( *HashTable == 0 ) {
        v2 = ExAllocatePoolWithTag( 0, 36, 1650545736 );
        *HashTable = v2;
        if( v2 != 0 ) {
            v1 = 1;
        } else {
            goto node_30;
        }
    } else {
        v1 = 0;
    }
    v4 = *HashTable;
    v5 = v4;
    v6 = 9;
    while( v6 != 0 ) {
        *v5 = 0;
        v5 += 4;
        v6 -= 1;
    }
    *(v4 + 12) = 0;
    *v4 = v1 | Flags;
    *(v4 + 8) = 128;
    *(v4 + 16) = 127;
    *(v4 + 4) = Shift;
    v7 = RtlpAllocateSecondLevelDir();
    if( v7 == 0 ) {
        v2 = RtlDeleteHashTable( v4 );
    } else {
        *(v4 + 32) = v7;
        return v7 & 0xFFFFFF00 | 0x1;
    }
    node_30:
    return v2 & 0xFFFFFF00;

*/

    return 0;

}


PRTL_DYNAMIC_HASH_TABLE_ENTRY
RtlGetNextEntryHashTable_k8 (
    PRTL_DYNAMIC_HASH_TABLE HashTable,
    PRTL_DYNAMIC_HASH_TABLE_CONTEXT Context
    );

PRTL_DYNAMIC_HASH_TABLE_ENTRY
RtlGetNextEntryHashTable_k8 (
    PRTL_DYNAMIC_HASH_TABLE HashTable,
    PRTL_DYNAMIC_HASH_TABLE_CONTEXT Context
    )
{
    
/*
    
    unsigned long v1;
    unsigned int v3; // edx
    unsigned int v2; // edx

    v1 = ***(Context + 4);
    if( *Context == v1 ) {
        v1 = 0;
    } else {
        if( *(HashTable + 28) != 0 ) {
            v3 = **(Context + 4);
            while( *(*v3 + 8) == 0 ) {
                if( *Context == **v3 ) {
                    v2 = *v3;
                    v1 = *v3;
                    goto node_21;
                } else {
                    v3 = *v3;
                }
            }
            v2 = v3;
            v1 = *v3;
        } else {
            v2 = **(Context + 4);
        }
        node_21:
        if( *(Context + 8) == *(v1 + 8) ) {
            *(Context + 4) = v2;
        } else {
            return 0;
        }
    }
    return v1;
    
*/

    return 0;
    
}

PRTL_DYNAMIC_HASH_TABLE_ENTRY
RtlLookupEntryHashTable_k8 (
    PRTL_DYNAMIC_HASH_TABLE HashTable,
    ULONG_PTR Signature,
    PRTL_DYNAMIC_HASH_TABLE_CONTEXT Context
    );


PRTL_DYNAMIC_HASH_TABLE_ENTRY
RtlLookupEntryHashTable_k8 (
    PRTL_DYNAMIC_HASH_TABLE HashTable,
    ULONG_PTR Signature,
    PRTL_DYNAMIC_HASH_TABLE_CONTEXT Context
    )
{
    
/*
    
    unsigned long v1;
    unsigned long local_0x10; // [esp-16]
    unsigned long esi; // esi

    if( Context == 0 ) {
        Context = &local_0x10;
    }
    RtlpPopulateContext( Signature, esi, local_0x10 );
    if( **(Context + 4) == *Context ) {
        v1 = 0;
    } else {
        v1 = ~-(Signature != *(**(Context + 4) + 8)) & **(Context + 4);
    }
    return v1;
    
*/

    return 0;
    
}


BOOLEAN
RtlRemoveEntryHashTable_k8 (
    PRTL_DYNAMIC_HASH_TABLE HashTable,
    PRTL_DYNAMIC_HASH_TABLE_ENTRY Entry,
    PRTL_DYNAMIC_HASH_TABLE_CONTEXT Context
    );


BOOLEAN
RtlRemoveEntryHashTable_k8 (
    PRTL_DYNAMIC_HASH_TABLE HashTable,
    PRTL_DYNAMIC_HASH_TABLE_ENTRY Entry,
    PRTL_DYNAMIC_HASH_TABLE_CONTEXT Context
    )
{
    
/*
    
    unsigned long esi; // esi
    unsigned long edi; // edi
    unsigned long v1; // eax

    *(HashTable + 20) += 4294967295;
    if( *(Entry + 4) == *Entry ) {
        *(HashTable + 24) += 4294967295;
    }
    v1 = *(Entry + 4);
    *v1 = *Entry;
    *(*Entry + 4) = v1;
    if( Context != 0 && *Context == 0 ) {
        v1 = RtlpPopulateContext( *(Entry + 8), edi, esi );
    }
    return v1 & 0xFFFFFF00 | 0x1;
    
*/

    return 0;
    
}

    

BOOLEAN
RtlInsertEntryHashTable_k8 (
    PRTL_DYNAMIC_HASH_TABLE HashTable,
    PRTL_DYNAMIC_HASH_TABLE_ENTRY Entry,
    ULONG_PTR Signature,
    PRTL_DYNAMIC_HASH_TABLE_CONTEXT Context
    );


BOOLEAN
RtlInsertEntryHashTable_k8 (
    PRTL_DYNAMIC_HASH_TABLE HashTable,
    PRTL_DYNAMIC_HASH_TABLE_ENTRY Entry,
    ULONG_PTR Signature,
    PRTL_DYNAMIC_HASH_TABLE_CONTEXT Context
    )
{
    
/*
    
    unsigned int local_0x10; // [esp-16]
    unsigned long esi; // esi
    unsigned long edi; // edi

    *(Entry + 8) = Signature;
    *(HashTable + 20) += 1;
    if( Context == 0 ) {
        RtlpPopulateContext( Signature, edi, esi );
        Context = &local_0x10;
    } else if( *Context == 0 ) {
        RtlpPopulateContext( Signature, edi, esi );
    }
    if( *Context == **Context ) {
        *(HashTable + 24) += 1;
    }
    *(Entry + 4) = *(Context + 4);
    *Entry = **(Context + 4);
    *(**(Context + 4) + 4) = Entry;
    **(Context + 4) = Entry;
    return *(Context + 4) & 0xFFFFFF00 | 0x1;

*/

    return 0;

}


VOID
RtlEndEnumerationHashTable_k8 (
    PRTL_DYNAMIC_HASH_TABLE HashTable,
    PRTL_DYNAMIC_HASH_TABLE_ENUMERATOR Enumerator
    );


VOID
RtlEndEnumerationHashTable_k8 (
    PRTL_DYNAMIC_HASH_TABLE HashTable,
    PRTL_DYNAMIC_HASH_TABLE_ENUMERATOR Enumerator
    )
{
    
/*
    
    *(HashTable + 28) += 4294967295;
    if( Enumerator != *Enumerator ) {
        **(Enumerator + 4) = *Enumerator;
        *(*Enumerator + 4) = *(Enumerator + 4);
        if( *(Enumerator + 12) == **(Enumerator + 12) ) {
            *(HashTable + 24) += 4294967295;
        }
    }
    *(Enumerator + 12) = 0;
    return Enumerator;
    
*/

    return;
    
}


PRTL_DYNAMIC_HASH_TABLE_ENTRY
RtlEnumerateEntryHashTable_k8 (
    PRTL_DYNAMIC_HASH_TABLE HashTable,
    PRTL_DYNAMIC_HASH_TABLE_ENUMERATOR Enumerator
    );


PRTL_DYNAMIC_HASH_TABLE_ENTRY
RtlEnumerateEntryHashTable_k8 (
    PRTL_DYNAMIC_HASH_TABLE HashTable,
    PRTL_DYNAMIC_HASH_TABLE_ENUMERATOR Enumerator
    )
{
    
/*
    
    int esp; // esp
    unsigned int v2; // ebx
    unsigned long v5; // eax
    int v1; // esp
    unsigned long v3;
    unsigned long v4;

    v1 = esp - 16;
    v2 = *(Enumerator + 16);
    while( v2 < *(HashTable + 8) ) {
        if( *(Enumerator + 16) == v2 ) {
            v5 = *(Enumerator + 12);
            v5 = Enumerator;
            break;
        } else {
            *(v1 - 4) = &code_0x8F619+0x9;
            v5 = RtlpGetChainHead( v3, v4 );
            v1 += 8;
            break;
        }
        do {
            if( v5 == *v5 ) {
                goto node_61;
            } else {
                v5 = *v5;
            }
        } while( *(v5 + 8) == 0 );
        **(Enumerator + 4) = *Enumerator;
        *(*Enumerator + 4) = *(Enumerator + 4);
        if( v5 != *(Enumerator + 12) ) {
            if( *(Enumerator + 12) == **(Enumerator + 12) ) {
                *(HashTable + 24) += 4294967295;
            }
            if( v5 == *v5 ) {
                *(HashTable + 24) += 1;
            }
        }
        *(Enumerator + 16) = v2;
        *(Enumerator + 12) = v5;
        *Enumerator = *v5;
        *(Enumerator + 4) = v5;
        *(*v5 + 4) = Enumerator;
        *v5 = Enumerator;
        goto node_23;
        node_61:
        v2 += 1;
    }
    v5 = 0;
    node_23:
    return v5;

*/

    return 0;

}


BOOLEAN
RtlInitEnumerationHashTable_k8 (
    PRTL_DYNAMIC_HASH_TABLE HashTable,
    PRTL_DYNAMIC_HASH_TABLE_ENUMERATOR Enumerator
    );


BOOLEAN
RtlInitEnumerationHashTable_k8 (
    PRTL_DYNAMIC_HASH_TABLE HashTable,
    PRTL_DYNAMIC_HASH_TABLE_ENUMERATOR Enumerator
    )
{
    
/*
    
    unsigned int local_0x10; // [esp-16]
    unsigned long esi; // esi
    unsigned long edi; // edi

    RtlpPopulateContext( 0, edi, esi );
    *(HashTable + 28) += 1;
    if( local_0x10 == *local_0x10 ) {
        *(HashTable + 24) += 1;
    }
    *Enumerator = *local_0x10;
    *(Enumerator + 4) = local_0x10;
    *(*local_0x10 + 4) = Enumerator;
    *local_0x10 = Enumerator;
    *(Enumerator + 16) = 0;
    *(Enumerator + 8) = 0;
    *(Enumerator + 12) = local_0x10;
    return Enumerator & 0xFFFFFF00 | 0x1;
    
*/

    return 0;

}


BOOLEAN
RtlContractHashTable_k8 (
    PRTL_DYNAMIC_HASH_TABLE HashTable
    );


BOOLEAN
RtlContractHashTable_k8 (
    PRTL_DYNAMIC_HASH_TABLE HashTable
    )
{
    
/*
    
    unsigned long v7;
    unsigned long eax; // eax
    unsigned long ebx; // ebx
    unsigned long ebp; // ebp
    unsigned long esi; // esi
    unsigned long edi; // edi
    unsigned int v1; // eax
    unsigned long v2; // eax
    unsigned long v3; // eax
    unsigned long v4; // edx
    unsigned long v6; // eax
    unsigned long v5; // eax
    unsigned long v8; // eax

    if( *(HashTable + 8) == 128 || *(HashTable + 28) != 0 ) {
        v8 = eax & 0xFFFFFF00;
    } else {
        if( *(HashTable + 12) == 0 ) {
            *(HashTable + 16) /= 2;
            v1 = *(HashTable + 16);
        } else {
            v1 = *(HashTable + 12) + 4294967295;
        }
        *(HashTable + 12) = v1;
        v2 = RtlpGetChainHead( edi, ebx );
        v3 = RtlpGetChainHead( esi, ebp );
        *(HashTable + 8) += 4294967295;
        if( v2 != *v2 && v3 != *v3 ) {
            *(HashTable + 24) += 4294967295;
        }
        v4 = v3;
        v5 = v4;
        while( v2 != *v2 ) {
            *v2 = **v2;
            *(**v2 + 4) = v2;
            if( v5 != *v4 ) {
                while( *(*v4 + 8) < *(*v2 + 8) ) {
                    if( v3 == **v4 ) {
                        v4 = *v4;
                        v5 = v3;
                        goto node_78;
                    } else {
                        v4 = *v4;
                    }
                }
            }
            v5 = v3;
            node_78:
            **v2 = *v4;
            *(*v2 + 4) = v4;
            *(*v4 + 4) = *v2;
            *v4 = *v2;
        }
        if( (*(HashTable + 8) & 0x7F) == 0 ) {
            v7 = *(HashTable + 32);
            v6 = ExFreePoolWithTag( *(v7 + *(HashTable + 8) / 128 * 4), 0 );
            *(v7 + *(HashTable + 8) / 128 * 4) = 0;
            if( *(HashTable + 8) == 128 ) {
                *(HashTable + 32) = *v7;
                v6 = ExFreePoolWithTag( v7, 0 );
            }
        } else {
            v6 = *(HashTable + 8) / 128;
        }
        v8 = v6 & 0xFFFFFF00 | 0x1;
    }
    return v8;

*/

    return 0;

}


BOOLEAN
RtlExpandHashTable_k8 (
    PRTL_DYNAMIC_HASH_TABLE HashTable
    );


BOOLEAN
RtlExpandHashTable_k8 (
    PRTL_DYNAMIC_HASH_TABLE HashTable
    )
{
    
/*
    
    unsigned int v12;
    unsigned long v1;
    unsigned int v3;
    unsigned int v7;
    unsigned int v8;
    unsigned int v9;
    unsigned long v10;
    unsigned long eax; // eax
    unsigned long ebx; // ebx
    unsigned long edi; // edi
    unsigned long v5; // ecx
    int v2; // eax
    unsigned long v4; // eax
    unsigned long v11; // eax
    unsigned long v6;

    if( *(HashTable + 8) == 65536 || *(HashTable + 28) != 0 ) {
        v11 = eax & 0xFFFFFF00;
    } else {
        if( *(HashTable + 8) == 128 ) {
            v12 = *(HashTable + 32);
            v2 = ExAllocatePoolWithTag( 0, 2048, 1650545736 );
            if( v2 != 0 ) {
                _memset( v2, 0, 2048 );
                *v2 = v12;
                *(HashTable + 32) = v2;
                goto node_31;
            }
        } else {
            node_31:
            v1 = *(HashTable + 32);
            v2 = *(v1 + *(HashTable + 8) / 128 * 4);
            if( v2 == 0 ) {
                v2 = RtlpAllocateSecondLevelDir();
                if( v2 != 0 ) {
                    *(v1 + *(HashTable + 8) / 128 * 4) = v2;
                    goto node_49;
                } else if( *(HashTable + 8) == 128 ) {
                    *(HashTable + 32) = *v1;
                    v2 = ExFreePoolWithTag( v1, 0 );
                }
            } else {
                node_49:
                v3 = *(HashTable + 12);
                *(HashTable + 8) += 1;
                v4 = RtlpGetChainHead( edi, ebx );
                *(HashTable + 12) = v3 + 1;
                if( v4 != *v4 ) {
                    HashTable = v4;
                    v5 = HashTable;
                    while( 1 ) {
                        v7 = *(*v5 + 8) >> (*(v6 + 4) & 0x1F) & (*(v6 + 16) + *(v6 + 16) | 0x1);
                        if( *(v6 + 8) + 4294967295 == v7 ) {
                            **(*v5 + 4) = **v5;
                            *(**v5 + 4) = *(*v5 + 4);
                            v8 = *(v2 + (*(v6 + 8) & 0x7F) * 8 + 4);
                            **v5 = v2 + (*(v6 + 8) & 0x7F) * 8;
                            *(*v5 + 4) = v8;
                            *v8 = *v5;
                            *(v2 + (*(v6 + 8) & 0x7F) * 8 + 4) = *v5;
                        } else {
                            HashTable = *v5;
                        }
                        if( v4 == *v6 ) {
                            break;
                        }
                        v5 = v6;
                    }
                    v9 = *(v2 + (*(v6 + 8) & 0x7F) * 8);
                    if( v2 + (*(v6 + 8) & 0x7F) * 8 != v9 ) {
                        *(v6 + 24) += 1;
                    }
                    if( v4 == *v4 ) {
                        *(v6 + 24) += 4294967295;
                    }
                }
                if( *(HashTable + 16) + 1 == *(HashTable + 12) ) {
                    v10 = *(HashTable + 16) + *(HashTable + 16) | 0x1;
                    *(HashTable + 12) = 0;
                    *(HashTable + 16) = v10;
                } else {
                    v10 = *(HashTable + 16);
                }
                return v10 & 0xFFFFFF00 | 0x1;
            }
        }
        v11 = v2 & 0xFFFFFF00;
    }
    return v11;

*/

    return 0;

}


typedef struct _ALPC_CONTEXT_ATTR
{
    VOID *PortContext;
    VOID *MessageContext;
    unsigned long Sequence;
    unsigned long MessageId;
    unsigned long CallbackId;
} ALPC_CONTEXT_ATTR, *PALPC_CONTEXT_ATTR;


NTSTATUS
ZwAlpcCancelMessage_k8 (
    HANDLE PortHandle,
    ULONG Flags,
    PALPC_CONTEXT_ATTR MessageContext
    );


NTSTATUS
ZwAlpcCancelMessage_k8 (
    HANDLE PortHandle,
    ULONG Flags,
    PALPC_CONTEXT_ATTR MessageContext
    )
{
    
/*
    
    int return_address; // [esp+0]
    int v1; // eax

//    __asm.pushfd();
    __asm{
        pushfd
    }
    _KiSystemService( 8, return_address );
    return v1;
    
*/

    return STATUS_SUCCESS;
    
}


typedef HANDLE ALPC_HANDLE, *PALPC_HANDLE;

NTSTATUS
ZwAlpcCreatePortSection_k8 (
    HANDLE      PortHandle,
    ULONG      Flags,
    HANDLE      SectionHandle,
    SIZE_T      SectionSize,
    PALPC_HANDLE      AlpcSectionHandle,
    PSIZE_T      ActualSectionSize
    );


NTSTATUS
ZwAlpcCreatePortSection_k8 (
    HANDLE      PortHandle,
    ULONG      Flags,
    HANDLE      SectionHandle,
    SIZE_T      SectionSize,
    PALPC_HANDLE      AlpcSectionHandle,
    PSIZE_T      ActualSectionSize
    )
{
    
    return STATUS_SUCCESS;
    
}


NTSTATUS
ZwAlpcCreateResourceReserve_k8 (
    HANDLE      PortHandle,
    ULONG      Flags,
    SIZE_T      MessageSize,
    PALPC_HANDLE      ResourceId
    );     


NTSTATUS
ZwAlpcCreateResourceReserve_k8 (
    HANDLE      PortHandle,
    ULONG      Flags,
    SIZE_T      MessageSize,
    PALPC_HANDLE      ResourceId
    )
{
        
    return STATUS_SUCCESS;
        
}


// private
 typedef struct _ALPC_SECURITY_ATTR
 {
     ULONG Flags;
     PSECURITY_QUALITY_OF_SERVICE QoS;
     ALPC_HANDLE ContextHandle; // dbg
 } ALPC_SECURITY_ATTR, *PALPC_SECURITY_ATTR;
 
 // begin_rev
 #define ALPC_VIEWFLG_NOT_SECURE 0x40000
 // end_rev
 
 // private
 typedef struct _ALPC_DATA_VIEW_ATTR
 {
     ULONG Flags;
     ALPC_HANDLE SectionHandle;
     PVOID ViewBase; // must be zero on input
     SIZE_T ViewSize;
 } ALPC_DATA_VIEW_ATTR, *PALPC_DATA_VIEW_ATTR;


NTSTATUS
ZwAlpcCreateSectionView_k8 (
    HANDLE      PortHandle,
    ULONG      Flags,
    PALPC_DATA_VIEW_ATTR      ViewAttributes
    );


NTSTATUS
ZwAlpcCreateSectionView_k8 (
    HANDLE      PortHandle,
    ULONG      Flags,
    PALPC_DATA_VIEW_ATTR      ViewAttributes
    )
{
        
    return STATUS_SUCCESS;
        
}


NTSTATUS
ZwAlpcCreateSecurityContext_k8 (
    HANDLE      PortHandle,
    ULONG      Flags,
    PALPC_SECURITY_ATTR      SecurityAttribute
    );


NTSTATUS
ZwAlpcCreateSecurityContext_k8 (
    HANDLE      PortHandle,
    ULONG      Flags,
    PALPC_SECURITY_ATTR      SecurityAttribute
    )
{
        
    return STATUS_SUCCESS;
        
}


NTSTATUS
ZwAlpcDeletePortSection_k8 (
    HANDLE      PortHandle,
    ULONG      Flags,
    ALPC_HANDLE      SectionHandle
    );


NTSTATUS
ZwAlpcDeletePortSection_k8 (
    HANDLE      PortHandle,
    ULONG      Flags,
    ALPC_HANDLE      SectionHandle
    )
{
        
    return STATUS_SUCCESS;
        
}


NTSTATUS
ZwAlpcDeleteSectionView_k8 (
    HANDLE      PortHandle,
    ULONG      Flags,
    PVOID      ViewBase
    );


NTSTATUS
ZwAlpcDeleteSectionView_k8 (
    HANDLE      PortHandle,
    ULONG      Flags,
    PVOID      ViewBase
    )
{
        
    return STATUS_SUCCESS;
        
}


NTSTATUS
ZwAlpcDeleteSecurityContext_k8 (
    HANDLE      PortHandle,
    ULONG      Flags,
    ALPC_HANDLE      ContextHandle
    );


NTSTATUS
ZwAlpcDeleteSecurityContext_k8 (
    HANDLE      PortHandle,
    ULONG      Flags,
    ALPC_HANDLE      ContextHandle
    )
{
        
    return STATUS_SUCCESS;
        
}


NTSTATUS
ZwAlpcDisconnectPort_k8 (
    HANDLE      PortHandle,
    ULONG      Flags
    );


NTSTATUS
ZwAlpcDisconnectPort_k8 (
    HANDLE      PortHandle,
    ULONG      Flags
    )
{
        
    return STATUS_SUCCESS;
        
}


 // private
 typedef enum _ALPC_PORT_INFORMATION_CLASS
 {
     AlpcBasicInformation, // q: out ALPC_BASIC_INFORMATION
     AlpcPortInformation, // s: in ALPC_PORT_ATTRIBUTES
     AlpcAssociateCompletionPortInformation, // s: in ALPC_PORT_ASSOCIATE_COMPLETION_PORT
     AlpcConnectedSIDInformation, // q: in SID
     AlpcServerInformation, // q: inout ALPC_SERVER_INFORMATION
     AlpcMessageZoneInformation, // s: in ALPC_PORT_MESSAGE_ZONE_INFORMATION
     AlpcRegisterCompletionListInformation, // s: in ALPC_PORT_COMPLETION_LIST_INFORMATION
     AlpcUnregisterCompletionListInformation, // s: VOID
     AlpcAdjustCompletionListConcurrencyCountInformation, // s: in ULONG
     AlpcRegisterCallbackInformation, // kernel-mode only
     AlpcCompletionListRundownInformation, // s: VOID
     AlpcWaitForPortReferences,
     MaxAlpcPortInfoClass
 } ALPC_PORT_INFORMATION_CLASS;


NTSTATUS
ZwAlpcQueryInformation_k8 (
    HANDLE      PortHandle,
    ALPC_PORT_INFORMATION_CLASS      PortInformationClass,
    PVOID      PortInformation,
    ULONG      Length,
    PULONG      ReturnLength
    );


NTSTATUS
ZwAlpcQueryInformation_k8 (
    HANDLE      PortHandle,
    ALPC_PORT_INFORMATION_CLASS      PortInformationClass,
    PVOID      PortInformation,
    ULONG      Length,
    PULONG      ReturnLength
    )
{
        
    return STATUS_SUCCESS;
        
}


NTSTATUS
ZwAlpcSetInformation_k8 (
    HANDLE      PortHandle,
    ALPC_PORT_INFORMATION_CLASS      PortInformationClass,
    PVOID      PortInformation,
    ULONG      Length
    );


NTSTATUS
ZwAlpcSetInformation_k8 (
    HANDLE      PortHandle,
    ALPC_PORT_INFORMATION_CLASS      PortInformationClass,
    PVOID      PortInformation,
    ULONG      Length
    )
{
        
    return STATUS_SUCCESS;
        
}
    

NTSTATUS
ZwCreateIoCompletion_k8 (
    PHANDLE      IoCompletionHandle,
    ACCESS_MASK      DesiredAccess,
    POBJECT_ATTRIBUTES      ObjectAttributes,
    ULONG      Count
    );     


NTSTATUS
ZwCreateIoCompletion_k8 (
    PHANDLE      IoCompletionHandle,
    ACCESS_MASK      DesiredAccess,
    POBJECT_ATTRIBUTES      ObjectAttributes,
    ULONG      Count
    )
{
        
    return STATUS_SUCCESS;
        
}


NTSTATUS
ZwImpersonateAnonymousToken_k8 (
    HANDLE      ThreadHandle    
    );


NTSTATUS
ZwImpersonateAnonymousToken_k8 (
    HANDLE      ThreadHandle    
    )
{
        
    return STATUS_SUCCESS;
        
}    


 // private
 typedef struct _FILE_IO_COMPLETION_INFORMATION
 {
     PVOID KeyContext;
     PVOID ApcContext;
     IO_STATUS_BLOCK IoStatusBlock;
 } FILE_IO_COMPLETION_INFORMATION, *PFILE_IO_COMPLETION_INFORMATION;


NTSTATUS
ZwRemoveIoCompletionEx_k8 (
    HANDLE      IoCompletionHandle,
    PFILE_IO_COMPLETION_INFORMATION      IoCompletionInformation,
    ULONG      Count,
    PULONG      NumEntriesRemoved,
    PLARGE_INTEGER      Timeout,
    BOOLEAN      Alertable
    );


NTSTATUS
ZwRemoveIoCompletionEx_k8 (
    HANDLE      IoCompletionHandle,
    PFILE_IO_COMPLETION_INFORMATION      IoCompletionInformation,
    ULONG      Count,
    PULONG      NumEntriesRemoved,
    PLARGE_INTEGER      Timeout,
    BOOLEAN      Alertable
    )
{
        
    return STATUS_SUCCESS;
        
}    


///////////////////////////////////////////////////////////////////

 

 

Edited by Damnation
Posted (edited)

@Damnation

What have I to do with my original 5512 ntkrnlpa.exe,

so that your files are all recogniced?

And do you use ndis.sys, netio.sys, msrpc.sys from win7 SP1 bit32 ?

Which storport.sys I should use

Dietmar

PS: Anyway nice work:cheerleader:

EDIT: I think, you forget the following

"Make corrections to target driver XXX.sys so that it loads ntoskrn8.sys instead of the original ntoskrnl.exe"

Edited by Dietmar
Posted
14 minutes ago, Dietmar said:

And do you use ndis.sys, netio.sys, msrpc.sys from win7 SP1 bit32 ?

Which storport.sys I should use

yeah, although not tested yet.

storport is unchanged.

yeah I haven't changed the import tables of these drivers yet.

Posted (edited)

@Damnation

I never worked before with the Kernel Extender from @Mov AX, 0xDEAD.

Can you tell me, at which places I have to change via Ida Pro the name of ntoskrnl.exe ---> ntoskrn8.sys

Dietmar

PS: Or can you do this for me? First test with the free versions of ndis.sys, netio.sys, msrpc.sys from win7 SP1 bit32.

Edited by Dietmar
Posted

@Damnation

Thanks a lot!

Now the only thing is missed I think,

is to do the same for the intel Lan driver for the i219 device.

It has also some unsolved dependecies to ntoskrnl.exe from XP SP3

Dietmar

PS: Here is the driver e1d6232.sys .

It has also 11 unsolved dependencies to the original ntoskrnl.exe from XP SP3,

may be most you integrate already.

https://ufile.io/exw6n4cm

Then, we only need to modd its *.inf. May be, I can do an extract from the registry of this driver running under Win7 SP1 bit32

for the i219 device.

 

Posted

@Dietmar Windows 7 NDIS is 6.3, Vista NDIS is 6.0

@Damnation Which one have you get as target?

 

Here are latest files for both architectures and versions

https://www.mediafire.com/file/serxsmclqslf5cv/NDIS6.0+6.3_latest_untouched.7z/file

Posted
7 minutes ago, Dietmar said:

@Damnation

Thanks a lot!

Now the only thing is missed I think,

is to do the same for the intel Lan driver for the i219 device.

It has also some unsolved dependecies to ntoskrnl.exe from XP SP3

Dietmar

PS: Here is the driver e1d6232.sys .

It has also 11 unsolved dependencies to the original ntoskrnl.exe from XP SP3,

may be most you integrate already.

https://ufile.io/exw6n4cm

Then, we only need to modd its *.inf. May be, I can do an extract from the registry of this driver running under Win7 SP1 bit32

for the i219 device.

 

Just fix import to ntoskrn8.sys instead ntoskrnl.exe and thats all if you have already compiled ntoskrn8.sys from post above

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...